From 08ffec7c1fe01d908e5ada3e83de652baf3b7f39 Mon Sep 17 00:00:00 2001 From: david942j Date: Wed, 29 Nov 2023 15:46:01 +0000 Subject: [PATCH] Update builds after #203 merged Signed-off-by: david942j --- ...1e14462fc6097604edd54a2ee63664c65b2c12b.rb | 21 +++-- ...1e23c38126dad7db569b176808a7c54db64a086.rb | 17 ++-- ...2093f433808b294939b7a84c436c9eb4ec7f084.rb | 18 ++-- ...301225d38bb881df8962a45d8c7f97449628511.rb | 21 +++-- ...36830b8f13a440ab4f419e46889b60e6e2b4211.rb | 21 +++-- ...3913aa050d557a99cc18f7b10e35f06e7c9265e.rb | 17 ++-- ...5438cea9c1f9b3bbca9d9718319ee3742937f2e.rb | 21 +++-- ...5d284a054b0c444fe40e91b25155a637b5cd35b.rb | 21 +++-- ...81d1ade5e735e7bbd0d2c1655a1eb7a0ab546ad.rb | 21 +++-- ...9aa28fd1054ee91085a7e13da58891c2d22058d.rb | 17 ++-- ...b3a9eb5ffbd93527a046585e2eb0c8ae804498b.rb | 21 +++-- ...ca781d9dae5d7689f112aa047b949ba253a1a24.rb | 21 +++-- ...cfe51d12d5ffdc0b80469a74e6e5afb8130cafb.rb | 17 ++-- ...dd7691bd47c4270c2ce9343dff1fbe0e27ad9f3.rb | 18 ++-- ...e1a9dd2ea0a174b53ad15979b049628cb2d7fd0.rb | 21 +++-- ...fe755222a275227e03414bf80fe98560038cf7e.rb | 21 +++-- ...0c913aa6554f3128781afb7846ac481b64c10b6.rb | 18 ++-- ...142f4753ddff69c217e1e539272eaaf7d75da4c.rb | 21 +++-- ...2d7f074b08cab569614830552b5fe8a32707295.rb | 17 ++-- ...45bd51d758bf9c3e3b45949a2023cbaa0941e37.rb | 17 ++-- ...5b6f6d06e3435a22c15398ce99c3d649112f576.rb | 17 ++-- ...5c42742a61d7b2fe40dca9ca659a8f8f8ffea32.rb | 17 ++-- ...606a4f3d8e807c5bf9b273ab202901115aa7a1e.rb | 21 +++-- ...7e8467dfe433c3622e6874d5795f6ac8edc8951.rb | 21 +++-- ...d7ac0a26e8dd7a9b8443fe4a5f59e46ee16ce74.rb | 18 ++-- ...dae2bc5818d22b565ed441211d0e2df6e942c25.rb | 18 ++-- ...db2291c040579630f551b3568d0bc8758aa25d7.rb | 17 ++-- ...dcad38451d0f4e339ac91079d6a20e40015d7f4.rb | 21 +++-- ...0f983ed5f4a8d177a9839b4abe44ffa35e1eade.rb | 21 +++-- ...1f20ffd821a693d32e258aa6a64e6bde5c5bdaf.rb | 18 ++-- ...2325505e6f257ab00ca32d46cd444c903d5dc89.rb | 21 +++-- ...2ea459c5bf13179544fc0bc92372ebe52792f53.rb | 21 +++-- ...67899ea9a83d7e5bd2ae3e53943cd57da6a01e7.rb | 17 ++-- ...6d70c7187d46c01bea7c22e8428fd6569d0f29c.rb | 21 +++-- ...7ae159e7958021d9c784daa60ac582aeb2e380c.rb | 21 +++-- ...86f68616b18ea86201b1bd81c4e39ab441a876f.rb | 21 +++-- ...9ad0fae22588909ae24075cf3d30123d3563a3c.rb | 17 ++-- ...9c9abe596db30c86fe28d30dc275485c7e3f240.rb | 21 +++-- ...aebf61fd92ce11ccbc35f4f5e1da8843415ff2f.rb | 17 ++-- ...b7794adc3efbe94dd7f17bb28382f42415ef32c.rb | 18 ++-- ...bb9296b7b2843ef007f7de1b2995bc33ec8294d.rb | 21 +++-- ...bba9d358bac63ff81597767b5bc229316bd12e0.rb | 17 ++-- ...dad3f021a0e10d56a36a3e6e83c641013bb8d0d.rb | 17 ++-- ...dc3a77a63a29cdfce5000c5e562da4574560802.rb | 21 +++-- ...ee2c632ffc91afb8662573f6870c70a03fecaad.rb | 18 ++-- ...fc2eb810e87cbb9d2a9c79bb1aa31c3b84330c0.rb | 21 +++-- ...09303fe5b44867525d535b4b8df1d9890128765.rb | 17 ++-- ...0c94dc66a1fe95180c3d68d2b89e576d5ae213c.rb | 19 +++-- ...0d456d1974436ca70141610c206bbd4e9ac127f.rb | 21 +++-- ...0dfa78b54091b3517212562fbe71c82031135df.rb | 21 +++-- ...19d6e67364b59468f00c62003e31f9698590885.rb | 21 +++-- ...25f373d48d6e3eb950fb4a1841cee80adf696e4.rb | 21 +++-- ...35b30edc15f874730295594b30528ba178aeca7.rb | 17 ++-- ...3adc3316a61d4db3e78e167be8f2d1c8b4a0474.rb | 21 +++-- ...4eca1b0e54755d19a70d3a74b744911f746902a.rb | 21 +++-- ...5597c5d9140178626b2989b0f3049c825f17249.rb | 21 +++-- ...565b3bf199d386bd0188a3690135b2ef82a559e.rb | 18 ++-- ...65c74dde459303730e276b4d6022f1eacda06fd.rb | 21 +++-- ...691e2c3b9f75fbaf99c93f201c86a2df07a98d2.rb | 21 +++-- ...701aa1820d0a1dc12ac27ffde0ca8c63c50ab4a.rb | 21 +++-- ...883c7733b2a0819e0c7c2dcbadfdac26e0e2b72.rb | 18 ++-- ...95c995bb2028f96efb60a6ebce75ed51d58c0b0.rb | 18 ++-- ...9612ce36adeb6f7e92658cd62c737bc3a260586.rb | 21 +++-- ...97c84e78c14cbffba39a48184db482211df9fb3.rb | 13 +-- ...9f403e178f6c4db89f200bae5afd6c55f61e34b.rb | 21 +++-- ...bbdc31d826a2bd8af0919d958620342c295c557.rb | 17 ++-- ...ea89e2234c5203ef245cd4146b515794079ceac.rb | 21 +++-- ...f8df0a32477b9b5c8521116e4d554f4dd784e9c.rb | 17 ++-- ...0410c37ab2b3867bcc1efa841c4bd990bbaced6.rb | 17 ++-- ...0443517ebed72833c0cea4364db0346c422be75.rb | 21 +++-- ...10c538cbb80e04ba67f8f93ead7c915cb8b151e.rb | 21 +++-- ...10c5d16e862678b3263a8250ad936b99554050c.rb | 21 +++-- ...2150628cea5ef0a4f7f48267f0d6fd206d7bef4.rb | 21 +++-- ...315ee2103b2f1797d8d18ef03714dbdc4417095.rb | 18 ++-- ...360063303905bf941489398b5601c5e2bc6c3a7.rb | 17 ++-- ...41d0bc3f372750187a7cc29528fca0f2fa4297d.rb | 18 ++-- ...44c5eaa7cb665ed9b90d3edc47e07c9eeb22c49.rb | 21 +++-- ...58c7913f032820ce7610496892f79a4779b0224.rb | 21 +++-- ...60355a265c134c0c801820ab5e80e37e2cd9b00.rb | 18 ++-- ...7411da31c1af33c897d1646f68d4443c3a156f2.rb | 17 ++-- ...82a813d828d5fe257838e679dff9b7be56bf4fb.rb | 17 ++-- ...84428905d6e138e0b88e97107732ace68c12752.rb | 18 ++-- ...866fc3ad424dfb788e9ad11039b7759f3b51574.rb | 17 ++-- ...8b333aa64a86c31334714305379a6c1f1701c69.rb | 18 ++-- ...9f3ac15a25f78f0258283b3a207017e51ced583.rb | 21 +++-- ...a384b8c751de6c0e2652261310104bf1b2127d5.rb | 21 +++-- ...a5eeadb796e6dba8f289a90de2b53e71c8e8788.rb | 21 +++-- ...daad26169c5c868b8ae90587fff76cc28e7b309.rb | 21 +++-- ...e304f78f3cfb52dd521bd6fd8ae7a0c7400104e.rb | 21 +++-- ...e9b0243eb28ea1a14539448a5317d6215fa13fa.rb | 21 +++-- ...eda8ff01be3fba1c7bdd442a8690c3dc7397b6a.rb | 17 ++-- ...f953c59dca85d439af86c6564c9fdb07cccafd5.rb | 21 +++-- ...09ee0c9616c4c3ed81951501a8950e1f529bbff.rb | 13 +-- ...0c2ed4707152ba59bfacfd4e1fabc3b28ddc140.rb | 21 +++-- ...0e2c3560712d3d9f7af3d155cdeb69687045dd2.rb | 17 ++-- ...12993e1c66001e0ad11feea73ddfc22f9c0767b.rb | 21 +++-- ...15cd2920490d13129bbad0514c7c7c7e67c18bc.rb | 21 +++-- ...1a7763b217be74d9da6fd006c32f82ef82477b5.rb | 18 ++-- ...382058b69031caa9b9996c11061cd164c9398ff.rb | 19 +++-- ...455f3eafe22e7a085c3568bebc324a2ade811ea.rb | 21 +++-- ...4b97c45aa9ce58ba4dea4eda316f49927e51cff.rb | 21 +++-- ...4fe99efd891702e87da514403a2d3d8cae8032b.rb | 21 +++-- ...537ab284321fdc6efd07276d6e4c524014bf069.rb | 21 +++-- ...5e62f166b419389a0de90ceab52c337946ba643.rb | 21 +++-- ...6338f83f1b656ee4395a8d3bddf810725151e91.rb | 21 +++-- ...8915015546da78c4116e45480be238bac4c59a7.rb | 18 ++-- ...8cabb8c6f68b05a1c1c9a707a43f22c3a55a3e9.rb | 18 ++-- ...962ff0ec39da4ea3c572535d1da0c0d3b10cfe9.rb | 18 ++-- ...a49bf8def435ac3fe9208df3c6b5622fe347a97.rb | 19 +++-- ...a49ee56df5b5ab48a6f5607bb46a0b92a3d1c34.rb | 21 +++-- ...a7a0413044f37bc4096c7bc4c33d1ea6880d856.rb | 17 ++-- ...a968877a4a31019701f53ed38130c1313a5e0ad.rb | 21 +++-- ...ab6a00d805f696b8aa6d0d2ee29d511b41499d1.rb | 21 +++-- ...b344bb54cc929c6849371987107f587bd9e0d48.rb | 17 ++-- ...b60e04aabbebdb248f5c03dad0ca1a9fab8be5f.rb | 21 +++-- ...ba8f97e1beb7f068474d473e2db786c07df8561.rb | 21 +++-- ...c02e6b0e80785f5944265c698dc811862018d21.rb | 21 +++-- ...c14523f13f0fb9be3366f446e9e48165373ddf8.rb | 18 ++-- ...e1e27a45fbd02cfa9a95bf657fc4aa53af75421.rb | 17 ++-- ...05a6d751871d12a83e34359ff4d73c895d6f4ce.rb | 21 +++-- ...0b315c3b5a4b7e4bf699cf79a137d19a9a13d89.rb | 12 +-- ...0c7d280d7c8af6758a3a951524487641f349460.rb | 21 +++-- ...1eeda0c442c32c20f93008acbc978e28cca956d.rb | 18 ++-- ...3b04eb27336fd6c68f7bd8ba76ccbcc8df1b46c.rb | 21 +++-- ...573062b2d3648b5970f82fbd63cd154c9d84661.rb | 21 +++-- ...573e7dbcbb6179989e2308746f65b95c4117485.rb | 18 ++-- ...850f318041a1a5a202ab0512dda55e80ff19ec8.rb | 18 ++-- ...8977b6661c8b646d7d88e32d81916937e346001.rb | 18 ++-- ...9673214041206e0eee5b9b5b47fd12d733127e1.rb | 17 ++-- ...a6d6625087a1de6139a620795ef8b2360a06592.rb | 18 ++-- ...abcb030391dbadd0fda38c3975ad6dcfe7fe20c.rb | 21 +++-- ...aff6d091954955fe931bb720a17708513aabda7.rb | 21 +++-- ...b536aa43eabd040e5117034f582d1c0374980cd.rb | 21 +++-- ...d7e55c204d097c75f6b89717876c17f0dc1779a.rb | 18 ++-- ...d8d0b8321b58b20d824cfa9d68d66769caa9b42.rb | 21 +++-- ...ee0f980c1c75935d8802d0ea84e0a9f09874c51.rb | 17 ++-- ...00e2a19dfcc8e20b41145039b6c823123676696.rb | 18 ++-- ...05f27d45e46aeda2619beb62fc804d1c2fbe26c.rb | 21 +++-- ...07bc133809b86abab918bb8a8fc7791fe916765.rb | 21 +++-- ...4a3b58450e957c04e2cca3619695cb3d73bb68e.rb | 21 +++-- ...4bf136a60dee4fe2f7ca0d9b40fbdd6b0115496.rb | 18 ++-- ...553121919b4b6bb1d86f8b1eb8eb152e6fb1218.rb | 17 ++-- ...7063a4c59e02c182d5afae288f450c7cdf5b6da.rb | 21 +++-- ...7504f0405a2d81d64310f262ac559cdc8375b04.rb | 17 ++-- ...7bcde9cd55f5ca93684b46705e0851585b94019.rb | 19 +++-- ...8c0362905c145cfc28aa2ff409962f3c8b2cb6b.rb | 21 +++-- ...a7914eec99efd40990d0b1978a01caf46612636.rb | 17 ++-- ...ccbbd7f1713d8eebb6042a8da7e9f2ac1878d42.rb | 21 +++-- ...cf04fce2326ced25e80c0d7972408574a0817e6.rb | 17 ++-- ...d415bffb8dbc06c96e116d8e8f0d8deababbd9e.rb | 17 ++-- ...e523a4a16878ad1fcb7844e93bdd4d474843f86.rb | 21 +++-- ...e97512d5895e6d5e26dc5b26b31c575a80f0188.rb | 21 +++-- ...f380884708f0bac5c779705562e01ccc7ecf223.rb | 18 ++-- ...f6d04c0ad1b67e316c80cd606720675fc111b50.rb | 21 +++-- ...fbf66aed8b38b67a1a5653e27e9e4d430b9ada6.rb | 21 +++-- ...0c8143bd0180bbeb21b7d8c12687d043ae81c7d.rb | 21 +++-- ...131bf46e87501516970176f3f7e86762ffcc3bf.rb | 21 +++-- ...3aef0e751f3dddd4b56c5be57524239e39eecaa.rb | 18 ++-- ...3f3af43ecaf52a63801ea59ad113835dfb31d58.rb | 21 +++-- ...45104cd0116005c9b9569fe3c6d5afd3689a01e.rb | 21 +++-- ...564abd306654cfc468a54117954244e1a2c9102.rb | 21 +++-- ...63b5d3db2ef5af0b32dba633dca439a3908c42e.rb | 17 ++-- ...66e18be92e8dcab711b7c1e3402065deff5df70.rb | 21 +++-- ...69f691faebbe08548ec64381e41acf5997c0fb0.rb | 21 +++-- ...7805ebef970b79b4a1fb5facb43719a26c335af.rb | 21 +++-- ...87a7db21e668f6153604d9e00d1026137f777ee.rb | 21 +++-- ...b05579712ebaea7cae547f4fc461c0828e9c446.rb | 21 +++-- ...c5d5643cd08bc078f22310103f7c6af4ed37921.rb | 17 ++-- ...cb4573f8cc3764df7570800247a76dd63d847b4.rb | 17 ++-- ...d935a42f2f2a1149aa52d3098b32b1d5012cb67.rb | 13 +-- ...e4150ea59c3a6fdc9f001ba17274f7c48e4be21.rb | 17 ++-- ...fa762223d6b8ee6d47af7455c691a5e238c8209.rb | 21 +++-- ...0b068141be8b0f52ef8dc93e8327cda87a632bc.rb | 19 +++-- ...13a7e92e674593c7e1121b0013d81e20cebe85c.rb | 17 ++-- ...356622cb19154bd2d3bb21e67f188e3cc3e2902.rb | 18 ++-- ...5287be8acccc7b5723f4306e6a5eca6dfe7bffd.rb | 19 +++-- ...a970aa5f863d2ccecd63ceef8bb57d28e55be11.rb | 17 ++-- ...bf807e100d6c152efd7e845c65ecfb92e2e202e.rb | 21 +++-- ...d1dd2edd9ada4b73ddc73ea10ba1c9ef0810248.rb | 17 ++-- ...e817f4c472417e94d161b392e13d6aeb76f0b5a.rb | 21 +++-- ...13df1fb206f167af0eef4d438f3949d80f8bce3.rb | 17 ++-- ...1818c2dd8e7c4a3d4f61270b4b29330d6b51391.rb | 21 +++-- ...2d884479c5c8f73fbb82e6fefa5083623826cc1.rb | 21 +++-- ...3386004b2a158b95ba4c26c01e421e6c2191a47.rb | 21 +++-- ...3c88cff23421ec2e3c97860bdf28868592ed14c.rb | 12 +-- ...3ebc8ad2873288cbd2a510de65161c697310e5c.rb | 21 +++-- ...4b13a91fc5d961be3e1a68a30938ba840ae4290.rb | 21 +++-- ...6222959a65e5367ec3f2b54d7f114f6a2c8ce28.rb | 21 +++-- ...62a3aed804ccd4faac1ae52ee39165dd1cf4ebe.rb | 18 ++-- ...71e7ba2ffe12012ab7e5c0ff7d83d6f627a7548.rb | 18 ++-- ...7204938a680127c01c9799462c3b33035f06358.rb | 21 +++-- ...77581d3046ec7a2176ba4bebc222562668d9fd6.rb | 21 +++-- ...77d09f3b8cbad4c430378157308f6cb71549a5a.rb | 21 +++-- ...7e2264ecf52a64ea3ab55163132240c3142eafd.rb | 21 +++-- ...820f849dda0b99ed06dd59bb88404969b3a5f88.rb | 21 +++-- ...9f67b66e93e0abd79f1d8028188377397e4536b.rb | 21 +++-- ...b474a836c41aed0f0bad2ddc66388253bfa75af.rb | 18 ++-- ...d03e0bcbda2213489f10a6bf63a7f5fe3dd6558.rb | 17 ++-- ...d91c7db0fad11b03e3ce92eda28f673cb36db5d.rb | 21 +++-- ...df7d21d8b442e6b601ad3dcc180608193d2d041.rb | 18 ++-- ...166aefc9dff38869ad893bea2e9ce5e848628b1.rb | 21 +++-- ...2c58c0aaead4cc02a5ad606edf4284ca598c0ef.rb | 21 +++-- ...32788d3f2b080bd447b295cf59ace25fbfce313.rb | 17 ++-- ...4fbe819a1dc946528b4added1887eb9ca130275.rb | 18 ++-- ...571f83a8a6f5bb22d3558cddda9f943a2a67fd1.rb | 19 +++-- ...700a5d57528fde5c441b020bcc4e19a9099e05b.rb | 21 +++-- ...71ed2c38888a9d0e2c977877193e01a64e97a5d.rb | 21 +++-- ...9082b0162f9d256c1ccf28b9d35d2cce9f6a6a4.rb | 21 +++-- ...a1b1c588dbf0ebb80c646060af92e5a93825fee.rb | 21 +++-- ...b34f13b7ae5fe42cdd14b96dc278f9726424cac.rb | 21 +++-- ...b91233a6ef2a6c754a8ff20f7ba117d7d57707a.rb | 17 ++-- ...d25bd030c2467d343581ee0d8d8aa7a32c7aa29.rb | 21 +++-- ...d69ec1fafeef65209d9874025fd45e093b23144.rb | 21 +++-- ...e4425690f42dd1807770d974ff87b88c51d306d.rb | 21 +++-- ...f368b38f238cfe2c12eac2b487ee8ae58a3a0d8.rb | 21 +++-- ...00c9b70ba01f92a952474258bed608c3e7be6b9.rb | 21 +++-- ...0ee9400445c93ecbc8562e006a8b95ed4d07834.rb | 21 +++-- ...24f77af0c861079dbcbbdf09f4b8eee8eb7130c.rb | 21 +++-- ...379cc4f4e8a55319c70e4d3ce4dc2a4c30f151a.rb | 21 +++-- ...40027c0c6f76c27293f7570888b9d64e1a93285.rb | 21 +++-- ...41ed0ae53a1a559a44a1140c77c3b274a38e442.rb | 21 +++-- ...4278754b0c28c437e1e5bd195d82b6d9e4a6d73.rb | 17 ++-- ...46746723526fa9feb3cdf4218ec24c9179131ad.rb | 18 ++-- ...5affb5af2f506eb7d48c471160790d4c24e81ae.rb | 17 ++-- ...5e45bf4881c526999786f4dd2718042b20e582c.rb | 21 +++-- ...7cab037359898862b1584a1e3c3372683daad3f.rb | 17 ++-- ...83833a5f5ca5636f8f914c2c9f1726860fce8b1.rb | 18 ++-- ...ad76dba04139f928612ee55bf9e14b74e1b7c3f.rb | 18 ++-- ...afa8de523249f48aebec877e9f45f904e4d62a4.rb | 21 +++-- ...b46f5139038116d66a73281a3aca373f8ac7428.rb | 21 +++-- ...b6e2a7a6812e08f621a5c6b5b3372ab5126fc84.rb | 12 +-- ...b8c8a8edf5ff17d2df7e68e63f6cb242d85b524.rb | 21 +++-- ...ba6f22d1ee9163390664add53a9ef135c664903.rb | 18 ++-- ...e25be66ee91861336df34413f53446cb41a2601.rb | 17 ++-- ...f43a056242aa025a153e4a7b6698edd7497f305.rb | 18 ++-- ...f699a15caae64f50311fc4655b86dc39a479789.rb | 19 +++-- ...06fb2560475e149d6d2401eae955164eb8262fa.rb | 18 ++-- ...11506d7facb213bd2c6063f010a42fa9d723879.rb | 18 ++-- ...1c6ec21d9d74bb0d866a08635b1fc075c4a2e40.rb | 21 +++-- ...2b9e70520a7dbf92895b3d08c9e6a92010571cf.rb | 21 +++-- ...56aa9d47cf61192f75e28fef805c0ce20502157.rb | 17 ++-- ...66b201cb2987a585890d4be28cf92dad14cb760.rb | 17 ++-- ...6c3d9e55db8600672a2ef744f57aa84e6bea41a.rb | 21 +++-- ...80f3b321f845a71f3c47d913dd3e65152565863.rb | 21 +++-- ...8adddcd7476a6b09bdf02fe1e1d73bd393b6ed7.rb | 17 ++-- ...9a10b8ef90300628dd0a3a535106967714d7328.rb | 19 +++-- ...b3fac1541a95bdab2d9ae20bdef3c2f1c13b7e0.rb | 21 +++-- ...d1b1c22eae3c8f0faa0b355bbcdca8f7c0cd91d.rb | 21 +++-- ...f559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb | 21 +++-- ...01fa6a6b4685ecaebc6756679c283c6572eb6f2.rb | 18 ++-- ...10149c2a9bf0df3c9149b351168fcd32adb41c6.rb | 17 ++-- ...13d310493f24ceb84f232c5f72469cbe516d57a.rb | 21 +++-- ...2773917e0ca89ebc16787d8cbc96400088583ec.rb | 21 +++-- ...4c3a6a564aeddbafa8be691efffc79e755fa8a4.rb | 21 +++-- ...53d50e134c10f91f8cf52b1778f85b7926147cc.rb | 18 ++-- ...540f810b37a33fab5b3116fdbf8bcaacc000c16.rb | 18 ++-- ...5bd51e1eefbc5c3d96a3aba4dcb50a0cec162de.rb | 21 +++-- ...6ac06f6c982d98a419cec51de313ea609f2b1f2.rb | 21 +++-- ...6e4c4588d098e16d0fba7e15ba9c81f294074a4.rb | 21 +++-- ...70d0551a6ce8feb294de6c138135b58d8763e85.rb | 17 ++-- ...806961cc6bc18acfd55df2613b100a9e733cebd.rb | 12 +-- ...882a1c9195b6bc1a62b3aeda9b63733109abd2f.rb | 21 +++-- ...892e2e9d5818511e2390e642edd1d4cf2331885.rb | 17 ++-- ...89b2153fd6795f03d6cd1dd789241326a7ee458.rb | 21 +++-- ...bc3c6d17edbddfdcb000366fae4e7cab6ba420c.rb | 18 ++-- ...cc10e3f1443d65007126bef8184ac84bfdf6b7c.rb | 17 ++-- ...dc2302cd47e8eedfc2e45da9fddecbdb07b4f21.rb | 21 +++-- ...dd5ba629053d507cb963d5269db6e7ae5bde36e.rb | 17 ++-- ...3a1e60201c31bb9fef972279d08dfc33dbb3ce9.rb | 21 +++-- ...5c375701c2c4406306201e19b42521f504175ec.rb | 21 +++-- ...5e1349016d93661914069bcc7254e702434e445.rb | 21 +++-- ...6248141094bb965d660fd2ce31d8534593c1003.rb | 21 +++-- ...6ba6844f5bba0603e13b577328b9f326d4fef8a.rb | 18 ++-- ...8cc1a32de8229e21b61215844be0462c6ac49a6.rb | 18 ++-- ...9b5531180de2f0ce620bc03b5fc4d7f8570fd18.rb | 21 +++-- ...b899b514fa6763ad006688efb32ecf9ca691ff3.rb | 21 +++-- ...d51b20e670e9a9f60dc3b06dc9761fb08c9358b.rb | 21 +++-- ...d5df0d8007d692d1c00226f81ba04b4f734b5b2.rb | 21 +++-- ...e493bf9ecadc1f26aa36d4a95c718e9f227ad3a.rb | 21 +++-- ...e76e177d397e9bdccf270232cc7e3a06e84aeb1.rb | 21 +++-- ...24df4febc9c789a8eeb052385d5e780b98a379f.rb | 12 +-- ...74a896d13132ebfb22b89fd4d026b8608b84d01.rb | 17 ++-- ...a1de0cc524dacd5b00c678daf50dde4d4539203.rb | 12 +-- ...2fcfb6d820fec1bd07ebc3506236a1c10d2a74e.rb | 12 +-- ...17589ae8050581abdfc414151c4655abc3cdfcd.rb | 12 +-- ...70ce0ece788e8e73d938f2fb3ce6adb890eb417.rb | 12 +-- ...89e645d86ab23c5f6acd039caacb18a02c3cfa2.rb | 12 +-- ...98115bd423958b1769317a6f7e4928df141eb57.rb | 12 +-- ...2fa1628ae33cc45efe8313a24ec8c475c9dffa6.rb | 12 +-- ...daaba13e3623d964ca116f91948afc5231732a8.rb | 12 +-- ...65f172661014a4db8bb05b203bbc07c8686aa25.rb | 17 ++-- ...bb8c78658cc612de895ec59a8026a08c86662e5.rb | 12 +-- ...8e57776dcdd5da9b7c9f60e65d28eaeb5b8173f.rb | 12 +-- ...d272c3f76f36f4fe1357514d4b207a06f7f536c.rb | 12 +-- ...efe2d045393dbe3e0a2acef88b6f31a78d3a27c.rb | 12 +-- ...1217615db4b7a86b90436982610bf86a03ca881.rb | 17 ++-- ...3063b7115d5a383189937852ce356f4c60fd190.rb | 17 ++-- ...53b8ad377a1988dcf6329bbdfa7b1201431656e.rb | 17 ++-- ...4f18629ef42b062ed0c8f60d5bfaa40a7d28ef7.rb | 12 +-- ...92fa8483d177952f4b38a4b9be8305baef60466.rb | 12 +-- ...96d4c9ce21618defe0b3e4694dc5380e0189009.rb | 21 +++-- ...3495a0bf9fc076d41056041922792ddb58ac456.rb | 12 +-- ...69a143e9c40cfd9d09695333e45fd67743cd2d6.rb | 15 +++- ...800fb8ed39680604091e8268cd21cb8ee6f747f.rb | 12 +-- ...85ab573783653be4ea1784a59be3a1499ca64c7.rb | 12 +-- ...a266f551f39283eff85f4ab8913d8b6d57fb290.rb | 12 +-- ...dfdbdb3ed58b70e07e1a94ff3e95d84652cb0f1.rb | 17 ++-- ...ee253f6aeaec7a001984e257b86ad7224e46469.rb | 17 ++-- ...0b088455f100a9a72e94a69e843b6e0831cbedb.rb | 17 ++-- ...466292818ad2b41c64ea7107123fe96010e1b96.rb | 12 +-- ...4c3f01054f36f8184ba673743310b5178354334.rb | 12 +-- ...5dd428fb4c350c16dfee20491f1a06484a2bfa3.rb | 12 +-- ...c092eb4091e8d3a20313a09194418595efca9db.rb | 12 +-- ...e9718e58257bda1dc0d751665a3ee233bf606f2.rb | 15 +++- ...141017330a2057c655dcb61bd3d9b2c98399181.rb | 12 +-- ...9f1a0bc7f66ea42f3341c0d629bae8caef2346d.rb | 12 +-- ...af67b618c87a9cfadcf4be33331e34f77f5c842.rb | 12 +-- ...b9bef61c919475929cfcc3608bdadb86c3b1c6e.rb | 17 ++-- ...c9e3250b31dfe4b5e139cda266e7beabc47e504.rb | 17 ++-- ...eab56f86f3ee1745baa9e6fa771e652340487cc.rb | 12 +-- ...f08a19432b31835c71ea7d5b3687562cef053e3.rb | 17 ++-- ...faf7b9bab86ba7024b62d99c859136333b8a70d.rb | 10 +-- ...fc95a6cdd31b66c550d64d90d0431f68ed43571.rb | 17 ++-- ...1530fe252a0d5854827649ddf6e2c8fba9d1653.rb | 12 +-- ...a0864552f6b027689c7a69efa12e277009c5999.rb | 12 +-- ...b7de972132a4762898ccb1210ffb7cfc0e6f14e.rb | 12 +-- ...ce84d266a07230287b230ac4ce8ba2d2f3f854e.rb | 12 +-- ...dec520cda38e785c80e30db8fcd5428cee0f324.rb | 10 +-- ...f14eb66c408453973042c95d25f4e014bf4e364.rb | 17 ++-- ...03c5dd98cc9529359e601c1595c995cf359df30.rb | 12 +-- ...05a88bc8f93a7ba339895ce27dc4ad8331cad7d.rb | 17 ++-- ...3377f31675a81af793df0c63b40e193a4a6999b.rb | 12 +-- ...3b6f3047638b0703bf1091fe4c3afe79445d546.rb | 17 ++-- ...70c7051e379d909016cb81933bc5701daecd428.rb | 12 +-- ...91e5a56f9d466a7c70baf6684d99843ab8c45d1.rb | 12 +-- ...9b7200857a55acdfa5de730a573eed0cfec0962.rb | 12 +-- ...9c981c8e0e729ae7c562daa00be2cdb8e0c090a.rb | 17 ++-- ...9eae8a903584dcbc14cf07c719cd23b9f65e230.rb | 19 +++-- ...a22b7ec63fd7c5dc6a92875046515f4beac727d.rb | 10 +-- ...c9f149296e581c181529723f7eb44bf10a7d746.rb | 17 ++-- ...ccd94c4e3483df05be240ff1fb8a3f53794cc6f.rb | 19 +++-- ...f977df2af6a6a25e48e60dd867680d79dc6da8e.rb | 17 ++-- ...0e1d8111d5fec5580da9105670e78a63287732e.rb | 17 ++-- ...29ae1554ea01c67fdedb7874de4686f6c30b6e3.rb | 12 +-- ...3c3d4b45af73dff54258c5a5cab9e3d828cc766.rb | 12 +-- ...4125575d05a0aedbfe187ef0f95431229c5aac8.rb | 10 +-- ...980ac7f9370d2bbb2aade5ceeedc8afc4f02f3e.rb | 12 +-- ...b173624b62ee3bd8049bdeaaff990839eb4cb36.rb | 12 +-- ...d672538d6a08ce14e4bd6e931392bf63156f490.rb | 12 +-- ...f4a3fabc90bc1e410fe6377e2a1826d426c8f57.rb | 17 ++-- ...0e8cfbc6550fde842cfb72ba97d916827d462df.rb | 12 +-- ...2d7d2a5db69a59c01ca5d2a63250ca6a6bd08a3.rb | 12 +-- ...34a46faae116cb9500c57d6c06e701f98a52e2e.rb | 10 +-- ...3d46f5dc4d7894ea923bf566f6b38bfceedc6e1.rb | 12 +-- ...47fa75888ee989393032f4ae5a133902df3e2cb.rb | 17 ++-- ...626995277c9a0db7fec384061c564c3ea50eeae.rb | 12 +-- ...6d752d92fbf1e8b558018e4b122dab52b304ab6.rb | 12 +-- ...79c9c4ffc5aabfd0a9c9d1b1c73d5f1df969aac.rb | 17 ++-- ...7ded6f6ac3f40a59e17170307d0b15c1170552c.rb | 17 ++-- ...acd43cf74a9756cd727b8516b08679ee071a92d.rb | 19 +++-- ...e845b188299cb419b70cf5de27c22a50f776fce.rb | 12 +-- ...24acd9c6de558f26574bdc2eaa3048b597f2e5e.rb | 12 +-- ...3d704dff1ec8dceb660b58863d2a36afd52b66e.rb | 12 +-- ...595d37f80a7925dc75efa522c839df34edb4b46.rb | 12 +-- ...ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb | 17 ++-- ...c764e8fb2df1bccb33ffedd92cd8659aab98e33.rb | 12 +-- ...cf342a68f1a7b4b6ba4df62667c5f4ee8cf7687.rb | 12 +-- ...d0884395161c74567d7fea747e15c9a31785e06.rb | 12 +-- ...0ccdc12ed6ad0d67778aff9b49abc3c8eb30b9a.rb | 12 +-- ...167f5367b27f9493cefac9b23e68f180239e96c.rb | 17 ++-- ...1f20771562e9a58f6d2746d38a09694d4cbc345.rb | 12 +-- ...235f288513fa6064a856c499e0453f9f4a44f8a.rb | 12 +-- ...5c1de4517ba044d2f7cfa479e69f29bbc673c6a.rb | 12 +-- ...890a8ee268f8ae36ae0810b6eea7c45766b4133.rb | 17 ++-- ...9274e5d52fbb32ba32bae055f69ba1741771e79.rb | 12 +-- ...b066cff9171d55efb0dd884d31c18682ae6922b.rb | 12 +-- ...f2daffab6880d8bc68db4143643c132164dc7ca.rb | 17 ++-- ...180bd3047be9b4b70fb28455365546001b76e85.rb | 10 +-- ...440183d6aefac5a9259f6e2de824e43e85ed341.rb | 17 ++-- ...551bf2740c7e79d1722776a6e0d35d65885d037.rb | 12 +-- ...7ac9e99f0fc2fb83f98b6a01615c0508de638a8.rb | 17 ++-- ...8c6428b947bad767595961d6cb907493073183c.rb | 12 +-- ...8daa3ddab3acf64323b47fee32338d5c9591c4d.rb | 12 +-- ...bfccd958f34a2292058d60a0ddf19e1fcd4ec1e.rb | 12 +-- ...da2fd9acb85c5de61a1d4c7e2098fce25f3199f.rb | 12 +-- ...164b79c008a3ad0c2f0277688274a0c3c98e79b.rb | 12 +-- ...2f12c8aed093770731d57b19dc039c32423246b.rb | 12 +-- ...3318940121036465913d946fa62fef61459b68a.rb | 12 +-- ...4969c549a0d0099304108e50a77ff68602ed922.rb | 12 +-- ...51ca19ec6c53db97a15c67eea8ed00761570689.rb | 12 +-- ...601601a621be82612e36dd2a981121c141c72c9.rb | 17 ++-- ...6654d8229ff494d5b5c067e8a1dbf184fcdd57d.rb | 12 +-- ...91d043eaeb023885cdd80a3c0872d9fde9867bb.rb | 12 +-- ...b732feec2d8bae5ebb5d072a86cd31aca65f89b.rb | 12 +-- ...f580407d98ed9bec9c92c1ae2241eca8604e4d5.rb | 17 ++-- ...0cbed817be7f8947339e1796d1964567e9dfe96.rb | 12 +-- ...1c4dd44416a5a2781b37f7d9111961c8dc58583.rb | 12 +-- ...c53884306f13d86e310d893433556d93ef7facc.rb | 19 +++-- ...c70ee31ce02e89d989cb38dc885438e19dc5919.rb | 19 +++-- ...174b9dc46c7d38d1f153f2a4f9c059484042cdc.rb | 12 +-- ...3a06c9d90272ed9dd49863667de02579971fefd.rb | 17 ++-- ...6f442dc2d29e0e16cd34dc787d3c95fafeb90cc.rb | 12 +-- ...91a3a679d219196e597358caa46469961c471fd.rb | 10 +-- ...08b44317fec610d418f62d5d24fafaec0510353.rb | 17 ++-- ...0c24219cbba0605e39e02123398437c5dbbb104.rb | 21 +++-- ...233903e448d3ae08e72a23b0e742ecfc8b6ccc1.rb | 12 +-- ...5043f1299e2b98ddf8a1ba08f731f260492601a.rb | 12 +-- ...9e9b2f3225a520c823f0d81aea92a3dacfd621f.rb | 12 +-- ...e668be19c2dadb3cef5e6eafb6796acabf0b8f1.rb | 19 +++-- ...8785e62882096798b9a47645c401e2db0c3da87.rb | 12 +-- ...c2edee6fe6141b914f74b6d3541e986c1995420.rb | 12 +-- ...56b23405739592e947a92cb210791fbfe9d9938.rb | 12 +-- ...57feedce849edba19d94bf3920903b4c297e249.rb | 12 +-- ...6a01f4986991b8605b775bd21c3829c071c7e01.rb | 12 +-- ...7627a0a76d4347858dc9b2533aac197920feb67.rb | 10 +-- ...79d0ce21fe81c5c95f687db4b944d28c121a849.rb | 12 +-- ...f1e39397cbf59f35018306725336d275b33fad6.rb | 12 +-- ...11a78efce1a05c176c84381f9a8687564c124dd.rb | 17 ++-- ...1c38e8940f7cd6be485bf6903fdb169d71617dd.rb | 17 ++-- ...21137de182d11744ae6be8683de568a64edca7f.rb | 12 +-- ...24cbcd567a508befc4d08238d209749a6f81ef6.rb | 17 ++-- ...3fbe87df7583cb37d64da775d5298d139d6c645.rb | 17 ++-- ...42110382cc91407cee827f639c811fa41aad081.rb | 12 +-- ...57a6d46c53ff9cd3176239d342644bd34cc9e6a.rb | 17 ++-- ...72387e0713d81467e907f48691fd8a3a9d9b745.rb | 12 +-- ...853ca84fd72235c89ca6c71dc2fd586035fb508.rb | 12 +-- ...8c9fd18d79dce6408c752dc974b0b895286f861.rb | 17 ++-- ...90d9018168d767820b7fc6fac5cb62d1a40d819.rb | 12 +-- ...c3905611074ae1c586d90e5312e49817dfb1454.rb | 17 ++-- ...ef0e3b0b75b086f54c2fb8ad958db46c199de28.rb | 12 +-- ...0d1cd3333f60c045ee0d71cd32ac74a6b721b85.rb | 12 +-- ...2585efc70794668f1b7f01f4392daef49f476e0.rb | 12 +-- ...63aaed35e720148fbc396f8311138d46d099d7e.rb | 12 +-- ...6ce2dab7bee96ee1c9d290100ffae593a644ddf.rb | 10 +-- ...881424e7394f45d7b7e4b9d7bee0ac3336fb53c.rb | 10 +-- ...91a696d50e945b55f27ad1b7055adb4d94d611e.rb | 12 +-- ...da1c94523e9778bedccac2922cdb5582b3bab99.rb | 12 +-- ...4701c7aa9501f113595ba20117d03fbab4a7edf.rb | 17 ++-- ...4a1e432068988d1d05ded9a1ff3a5a4d9ba957d.rb | 12 +-- ...5dad9bbfda68f466fdb0784359dfa8be8f2e636.rb | 12 +-- ...72f377ce426f864bf68f2a32cd703d595664885.rb | 12 +-- ...7acef3594b4fbe5bdb37cfab88155ea223bac9d.rb | 12 +-- ...d8a83ac6553abcf5e18c10a39e5020352cf1fb2.rb | 12 +-- ...e86d1920edbc9fb506c499301164f3920a3e141.rb | 12 +-- ...61f342f6e88de1977eb60aecd9554335b3602be.rb | 17 ++-- ...9c585626bc777823124cce965150be221723855.rb | 12 +-- ...bccfeb62282482e2bb5fe47523cc26cc9891d9d.rb | 12 +-- ...e7b4e6104632c48765f27c7e53ce073c73b03c2.rb | 12 +-- ...15163d8d5ee351c62d0ef6438b1cb492b882128.rb | 12 +-- ...3e3e8ce017c356969e16f4bb329fc45e948a045.rb | 17 ++-- ...f40eb5a5f32b9824ba0cb2547ffb2b6964f6414.rb | 17 ++-- ...281300a16a309db14773233ab085dadc65f0081.rb | 12 +-- ...293d42412b9a87b7233bcb5f5cbf4496c8c90dd.rb | 12 +-- ...61a81563d20e7823c63828ff38348ec1b80adcc.rb | 12 +-- ...670937bc44571ec34ab812a7a7d2ce839a382ad.rb | 12 +-- ...69abe13c2975dbdc59eb4cf3a6e9bd28ecd376c.rb | 12 +-- ...6b3470fd1603fc11a54f8f1c69b81d85f2f0074.rb | 17 ++-- ...7222017b4ae03b81a41387cb81b0814654e2dd6.rb | 17 ++-- ...758f608b9326b54464784a72149d9991ce839d1.rb | 17 ++-- ...8afe0b2e7d234d495d38ec6bf35257a42f229de.rb | 12 +-- ...95c07ac1193aad1d8ee9871ee425e5653408a4d.rb | 17 ++-- ...c9019c65a7a835172e1e88ca2f88d1f14fb23e1.rb | 12 +-- ...65dbc5efb8e378d36cd0742b6e5a65bd9046168.rb | 17 ++-- ...75336aa55e307ff5c730b375f8220b85ede2e34.rb | 12 +-- ...d3f57aba43d34ae3cfab2df04a3050efbd1dfed.rb | 17 ++-- ...4681ac612616253b2eb8e99e1b68836b7d68cac.rb | 12 +-- ...7066f8392926c00ab4a5969f52aade616c1e314.rb | 12 +-- ...71cd1cac63b0dcd8f2cdd231291f9f89fe7c099.rb | 12 +-- ...7e1ed146ef347cf326650e230524a6c8d4ed43d.rb | 17 ++-- ...c48d3a9f8dea201de2948aa7f78c6a42ffa47cf.rb | 17 ++-- ...16b3d65c4f43150dea643a905c1a2a68efc3fb6.rb | 12 +-- ...1dee95c3183246a5332357b814a08ba9c05d999.rb | 12 +-- ...1fcf48a9dd99f320b205a2feef18c2edfdbaeba.rb | 10 +-- ...2f57ef98cf5dc8e4d6b5df5cd1b9260b7e9975a.rb | 17 ++-- ...4075f4ca5cff8f90934c9e1706db8022e7d4ba1.rb | 17 ++-- ...4140487ddd020e65cb6c3f9ae09275ca91dc47c.rb | 17 ++-- ...4b271ac2dedc103ec8d042bb40a418a042dceb9.rb | 10 +-- ...686e55d792fbbcc0ae8589a69c8b15d2444ac65.rb | 12 +-- ...352f9564e9d19391f222c67e5c64e09f949df4e.rb | 10 +-- ...506f6e38353adbb19bd22872b2fa8831c32c63d.rb | 12 +-- ...5a6daa9eb710b5fc311bdd17696bb25e98d9dab.rb | 17 ++-- ...61e9f882f22a77b803a1fa28912b2636913ea56.rb | 12 +-- ...c771fb8769897775bb6df04fe982d7a79684c8a.rb | 12 +-- ...213a4604fc2c8fd113ae890a97c3c2ad4022ceb.rb | 12 +-- ...916e3c1d80069d0209f6376b33e42b75ec49eda.rb | 12 +-- ...941d9b157b159697c7cbfa154c410b23be1a7af.rb | 10 +-- ...dbc01430dbd0c80011dea9852f3ae257bcf3138.rb | 17 ++-- ...fdfa3833107e0041ab896c1dbfd0a4f1c4fec77.rb | 12 +-- ...2931cdba68412c1b871f960b4005f70847b29c3.rb | 12 +-- ...65d9bac0e2687bd08337088466a686c40479e5d.rb | 12 +-- ...6799f7a3df15cf4c4b5c273686e7cb3283e0337.rb | 12 +-- ...b354ede0283a824c81183b1ffb6add90255edb6.rb | 12 +-- ...ee6e82b12f7c94f715fc96dcd4544a44997dbb5.rb | 12 +-- ...0516d4ba12ccc659906a5f122f8637279970bf4.rb | 12 +-- ...088eee45f6cbd649b53ae99b68a91823d86c6d6.rb | 12 +-- ...cc06a908986f225fded745f7f884bf50fd5b434.rb | 10 +-- ...d900e0adc14d176fe33f2b6e5d8dbe2bacb48d0.rb | 17 ++-- ...1d7f9459324fd489e82a931f9bbe3b10cfc4436.rb | 10 +-- ...259f9732c7269eccd67dc7f8bbceded2a909972.rb | 12 +-- ...7e6d42611b69819d39439c2ee93305f6305ed90.rb | 17 ++-- ...b0fe6bc985d025bfeeb207924823e7c2c7a77e6.rb | 17 ++-- ...b2c0cc31e0d158b487d1010b30fa7ed358fcbd7.rb | 10 +-- ...e60bf5cd327f0aa534fd8c37a8733e942707a0a.rb | 12 +-- ...fd6084786349d5763237b1caeb3d5d9f61dce75.rb | 17 ++-- ...21f4b63fbd354522a1c37a982da46973b6a95ef.rb | 12 +-- ...43f58b45b8c7fe20d3c3c9f812f50a7755615d3.rb | 17 ++-- ...a6cf8c4105217d0cf2609ab83ec3c9d4d3c5d41.rb | 12 +-- ...aef9af5a88432766d76d7da2cf961c75b6e0e0b.rb | 12 +-- ...f7fbdaaef014460825b4ef5848e86834aa3880c.rb | 10 +-- ...12683a92d161c37d51d89711c4870ba30904c3d.rb | 12 +-- ...88165fba081e659b7ea6463eab7bcac70363656.rb | 12 +-- ...ae3de55854513a2a7d4979337176c0717efce8a.rb | 17 ++-- ...c23056feb23daf0cb1d2f90e153b5f892df83c6.rb | 12 +-- ...1ae3441756e6c2ebf5c962434bf9f07b3ea3deb.rb | 12 +-- ...31c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb | 17 ++-- ...800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb | 12 +-- ...8f761287ed46e213bec29c2e440e73fd72373be.rb | 12 +-- ...b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb | 12 +-- ...e80992437b5e1cb76bf56605ee8991e76e85f69.rb | 10 +-- ...f1cf1c7ff279aa37add352423fd850e06be1098.rb | 12 +-- ...33dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb | 12 +-- ...891dc7656eed3d8d4f255c41ca6a28caf532079.rb | 12 +-- ...9e38445a740bba5a77b86691e3c51a7e48dc79b.rb | 12 +-- ...aedae2bb27ac85cf14c36da79747dd88bb2b633.rb | 12 +-- ...c4ed1bebc9ede033fbbb422f84da9a93cacd88e.rb | 12 +-- ...0773be8cf5bfed9d910c8473dd44eaab2e705ab.rb | 19 +++-- ...36976f90c600be7c95a68be6c2f0652cc22347c.rb | 12 +-- ...612e20f3e2705dcf8fd81ac494a0e20b9e16764.rb | 12 +-- ...69de0e1d833caa693af17f17c83ba937f0a4dad.rb | 19 +++-- ...9fa51127c50ad10c32a19e0a1a587a05b8d450b.rb | 12 +-- ...08d0e9e7720923def88a5aea9988cbaa0142b64.rb | 17 ++-- ...14c35398dffe74ac9ed945e176d8fd99446d9de.rb | 17 ++-- ...9bd3f83d9b34b9f043e68624271c5ef90820021.rb | 12 +-- ...df2711ee6c911fe238cf10f43b08099201e57ec.rb | 13 +-- ...4128118082b61b311247f8fa6672b8df938748a.rb | 17 ++-- ...d45b750d14b7b6ea11c2b57c73746b61592437b.rb | 17 ++-- ...d511bfe32efcb567933d13ab9dc87f0a02d3651.rb | 10 +-- ...0ea46dff84c256650d44c1a32ca609168bee1a6.rb | 12 +-- ...35101aec7213fdc442419bf65a92047a862ff32.rb | 12 +-- ...462f7cc95a34bd03f42ad150211db68fcf27d44.rb | 12 +-- ...97f7d05a70ecde852a2eed480bea6a6779b4a27.rb | 17 ++-- ...598dcdd3567efa7befebc6d97977e83d758c649.rb | 12 +-- ...8e2b4f1945abc8f1db6d82acf6d1ef593d01e06.rb | 12 +-- ...9cc3bb9361ad139a1967462175759416c9dc82b.rb | 12 +-- ...b51f0e99fae7170859f393ba0118cc955c337b9.rb | 12 +-- ...c436e0b35bb19702fba4b5effb3f94edecc3c46.rb | 12 +-- ...ccf267bc9d0f4706559d85cbeb704782dae9ede.rb | 12 +-- ...46025a5cad7b5f2dfbaebc6ebd1fcc004349b48.rb | 13 +-- ...600225be309ec27d01385dd52df9196e86ed3c0.rb | 12 +-- ...61068caa1dcd5005b27c7c6abe32e94102eae3f.rb | 17 ++-- ...6f8c796364693379a2a0c753133fecbd1c52434.rb | 12 +-- ...9de357f509368d89f95b0e92b0d5227e8b8addc.rb | 12 +-- ...e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb | 12 +-- ...6fe771348e04d552fa1e6dcaf610699719bdd0e.rb | 12 +-- ...71b122dbcd9503767b6f176d7745749fb4aaf89.rb | 12 +-- ...078f2c07ab3751dbcbc3fbd2a11a8a162c35576.rb | 10 +-- ...2994712adbb4db7b768554149443ddee829cb91.rb | 12 +-- ...5381a457906d279073822a5ceb24c4bfef94ddb.rb | 19 +++-- ...8aaf9d529588ee96e6e399ab8a15cbd58ab8b54.rb | 12 +-- ...978afd6ca2cf3f8768d6055581ece3c3e7d7b27.rb | 17 ++-- ...de4e8b0230b1b474cd8a1ca6e9f81bb2b438914.rb | 12 +-- ...0a199289365088782dcaceab6a81721d0d8ae0c.rb | 17 ++-- ...0cc47b9f732f8150eb2bbfb18d0d60a7b3564a9.rb | 12 +-- ...4fd86ec1eed57a09c79ce601f6c6e3796f574df.rb | 19 +++-- ...10743a8f3a9a7a2e9807b1af78026c0b5363f6b.rb | 12 +-- ...10fbfd9328f5ffaca50aa93562cb3bfb618fbcc.rb | 17 ++-- ...1df77a9cc06ba60c213852b01bc24282e49696a.rb | 17 ++-- ...2be9dbf540a6ca8b559ddfbd17f47b53e84ba8d.rb | 17 ++-- ...61f734abbd95e2ddeab19046141020d00aa2aaf.rb | 10 +-- ...cd02728e55c40d4a4b0d1482abe75cf2b853c2e.rb | 12 +-- ...d5192a769e33ed6ca68a6ab5740ff9e8ec678a7.rb | 12 +-- ...388b883ef50189a2eb5e6c7931c52e03761a7fd.rb | 17 ++-- ...7b96675bca2ca2e2e746ebcb706d9236178564c.rb | 13 +-- ...7c57c7dc7a4d8ca964993f19fd8b0fc4f72b617.rb | 17 ++-- ...8df4c3d58e99c87f9b22655e9180c7ac31cb44f.rb | 12 +-- ...dceed30099baad51871c5fc277daf9b74dc726a.rb | 12 +-- ...e0b5a0f65e25f536a868d84e1d912403b56e742.rb | 17 ++-- ...e525f6c9b018c094beedd17b87a4573d7ea7e2e.rb | 17 ++-- ...0c2e03955a845c9a7f9c85228b12c9700d66c50.rb | 12 +-- ...202f01f10e845e14e7d8ca44cf5d9e4742fca6a.rb | 13 +-- ...2f2f2af4f3e8597cca1fdff1008a834c78de42b.rb | 17 ++-- ...303ce47c562225a4f3475170333494965760a6a.rb | 17 ++-- ...33f3937b8f458ffd96cf10a22deea1bd85ac61a.rb | 17 ++-- ...4490657edfef482025fff60e85acd5928e0d05b.rb | 12 +-- ...fb3662a7bc5e136fa8f464fc14ec23efb8d1817.rb | 13 +-- ...03feaf8a7e40cef8a75568a406a22fdeda94f8b.rb | 13 +-- ...92b643118f919a1827477e978d9cea2b09a34fc.rb | 12 +-- ...2e411aed4443fbbcb9706fffa2362e4a108f28f.rb | 12 +-- ...04d873b711edeb971328656c4c17bbc15c7427f.rb | 12 +-- ...3fbdf3e3928f6dc2bcac10e28aa233a625a3d27.rb | 12 +-- ...439c4311f0dd7307f78c1b5530f52a590230e45.rb | 12 +-- ...23fcdbc7bead3c59600e0a6acfe9220c42e1b93.rb | 12 +-- ...5238226a11b5538d56c713c97db1a36722e6322.rb | 13 +-- ...1b43c632d35649e9b128528994426e34ae40d1a.rb | 12 +-- ...9ab765fb32204de2215d6117dcbc1fb92f26b9a.rb | 13 +-- ...f3765f1e2595771cefa96291c647d0eff8a81e0.rb | 13 +-- ...149edaf4dee34b38f831bf0914af2ecf0a1a317.rb | 12 +-- ...24385baa7aaf9c62ae336e896bcf245dda0fc01.rb | 12 +-- ...4b6f2a9e244a36a9f107febf832bbadea9f252c.rb | 12 +-- ...b88546716e2f1924986596ee7cc9215df89c6f5.rb | 12 +-- ...c11fd6524ef7a7da877f940fba181ed746edb0a.rb | 12 +-- ...f523a27b7460f50befd3d281238c6f189c92d84.rb | 12 +-- ...c3ec3a011b1005cb1c2c32fc6dbc4e6e9cef4bb.rb | 12 +-- ...da8c8ac3c71c30040cf58b563ae48e39bbae86f.rb | 13 +-- ...ddd6fca9cd87c66e6a19df018f5992e9fa6453d.rb | 12 +-- ...f253610e390e5237eb7949212e08166fba3ca4b.rb | 12 +-- ...f7bdfb9a24714835cee6e6597ea7aa782821371.rb | 12 +-- ...06b2bb216b6cdb6b1be565a6fcd29f3862db060.rb | 21 +++-- ...0cbb98b62f46ee16b182d1b357146577c40ebb7.rb | 13 +-- ...36e52c7896f5403d8065cf3965fdb2d31d56891.rb | 12 +-- ...4b1296687d36e24bd48b8c412157d94f074ecc2.rb | 13 +-- ...53debb34a7d493c0b8e2d6db2079e3d680459f5.rb | 13 +-- ...6e84118fee5788eb5d8dda66b7e7f029d2c7800.rb | 17 +++- ...ee9e1740da616757f2e6d5ba58576c0c7302fff.rb | 13 +-- ...0acfe88fed30ad3f8cb88425b80ea96899655aa.rb | 12 +-- ...3801a6f55c5c3cdf7d83590b433adcbab08a688.rb | 13 +-- ...49119af9e223829ea24f6b7226bdff0182e73f2.rb | 21 +++-- ...5764bd71c58942e9131e3547b7c343098212d03.rb | 12 +-- ...89260a6758c3f1dbc741c197e747341ed277cd2.rb | 12 +-- ...b24749bb184473f81819312e3d86903915eaf65.rb | 12 +-- ...ea4c67e60e49b8164b692166115bbf927e521db.rb | 12 +-- ...f89db5baa7e88162377fab6a1590f732a355401.rb | 12 +-- ...fce81d490804af9759c70bf197380bc05a584c2.rb | 12 +-- ...3adbb1e7368c94fba1ba9020d8ef0808bff5bc4.rb | 13 +-- ...3faee19af5e1d20163c6492862fca1a4146b668.rb | 13 +-- ...5adab2b0ad8604e35eeea0b30d6ec1ad11642af.rb | 13 +-- ...6bb6303e03d21ec9b79334370e1b39a51f883b1.rb | 12 +-- ...97931f8d2346a6d0e300a65d8fc6106c6c88c15.rb | 15 +++- ...d0bb76f378375d584a373929f6d5b695f53db99.rb | 13 +-- ...dac034d41342a93593b3e18aa05f4b69c2909c9.rb | 12 +-- ...fa7401566d6b3e2c7ee5df3b4d85a01f85b595c.rb | 15 +++- ...284cbfbd543755c2fa4df64a20ccb14e7ded30c.rb | 12 +-- ...3bab59259db20458dc7d753dd2950916f6e47de.rb | 12 +-- ...68d20b7e0d08bc282fb42ae405c7054e4209ede.rb | 13 +-- ...95aeaf311d354bbcd3f311e218f6b40fe711046.rb | 12 +-- ...a75868ead9dbb03eb4d668ff2918f341f949387.rb | 12 +-- ...b72576ff331e93852355123afecdec70fd247b5.rb | 21 +++-- ...194e9b483a157d38ab633a5bf3c37f9ed6b7e04.rb | 13 +-- ...a5885d005a0e25074da79038453af3c1bbd16a1.rb | 13 +-- ...a6d4ead4f4d511091e34c8baebaab04b97913e0.rb | 12 +-- ...d3ffad6407f2ea71f9121d761426f3a917f4216.rb | 12 +-- ...dd40dc4bc5ee908b857c00c1b2a00c58ebc1596.rb | 12 +-- ...56da9d194e16bccf2c342a12d8ea01e677fcba7.rb | 13 +-- ...a7fafb866f1680656f7343e9d38fa76986bcfff.rb | 12 +-- ...e0f1b3a8efe3adcf3080b20447ac4bd47aaf489.rb | 13 +-- ...05005b60c0c3e63eb593a5041fc9f7803e3b87d.rb | 12 +-- ...56e263a6c8431b34f1ab69b55abbe453a135c52.rb | 12 +-- ...a683c08dbc27e1ceab72d87cd00b5d6208f7620.rb | 13 +-- ...cba3297f538691eb1875be62986993c004f3f4d.rb | 13 +-- ...eb1e49d70f349433d3d4a712b4746c73481012d.rb | 12 +-- ...1b0020fb992b67e3c368576943fde81e4ec7ec9.rb | 13 +-- ...378343c5442ef04933110045638b2daafa16098.rb | 12 +-- ...76f2a94a6a1db73c935bce8db1e5a28a46d8535.rb | 12 +-- ...80296526a2060e4e53dfa8ded76917c3f9b851c.rb | 12 +-- ...a006ea92b333aa035fdecc8dc0b28e1d04edd37.rb | 12 +-- ...ae48d5843f29af366655a00fb0636db91328abb.rb | 13 +-- ...b7db6636c9f2f03c9523b02db229741e2250550.rb | 13 +-- ...e638553dc7a08748d03c42455ecd6bb9bd8f8cd.rb | 12 +-- ...4c01d397b6584f7040ef266b16a5d4da0b7a087.rb | 17 +++- ...51ace667ccae6a8887837efb18259a906704bed.rb | 12 +-- ...822e789c3428254f309f81600b9e5ae551a3461.rb | 12 +-- ...ad7dbe330f23ea00ca63daf793b766b51aceb5d.rb | 21 +++-- ...cd08eb60d44e32e85530f0537d46f8cd422403e.rb | 12 +-- ...81a06f0ac241c4aa8860602d9abcc903adbb675.rb | 12 +-- ...8a944084a03aec90d871ca8a5fac48801cc064d.rb | 12 +-- ...95a6603e6113924f82409ff65e6ed1514afd3db.rb | 13 +-- ...b0d156759d9bdfec06f5decd1c03785bcbc0ba1.rb | 12 +-- ...ccffaa4c34e166b9c09e8802ce09989d1e8f46a.rb | 13 +-- ...e6d412ecc4816c46eb49e750b02f714a9131c4e.rb | 12 +-- ...116abd24efe14f6dc2f98cef3d673934f6d66d0.rb | 10 +-- ...1fd7dc1c8a6915e5f7a7f24a5901a239d473f08.rb | 12 +-- ...451b072ff6aa62ba6e054c06e633fa297a3a7eb.rb | 13 +-- ...5a0679981d0258465ddba6b975c9340cbf20d22.rb | 13 +-- ...62f8c5ce9f5304f054922d39d0c0fa94d9e9531.rb | 12 +-- ...7d3ac73ddd0865d350bd570771cf3a964a1ddbd.rb | 12 +-- ...9133ae8d86b5d469422e0c51a19e7910ebeae41.rb | 13 +-- ...c7e13208dfc283e75a9491f8507429f647eac05.rb | 13 +-- ...2a8a8ac188a6c3bafa4813a3d2789240ee49489.rb | 12 +-- ...67af93d54c07bbe5d252ef6f176ec77b866c786.rb | 12 +-- ...8ba284042773fed1189bcf927960999f4c1de55.rb | 12 +-- ...a518391ad926bb7535f2095df0be265180eeed5.rb | 13 +-- ...ab413a7e3b33dde527af308a09a55ade6b41e84.rb | 13 +-- ...c799b9197929f88cebc6aa72e3be388cacfb1df.rb | 12 +-- ...eefae132c5a39ba892bc189edd91f73c1ea1f14.rb | 13 +-- ...ff06414a29b97b865ef938e06a7751fe8b1b2d0.rb | 12 +-- ...0206d9b8d7ad3abc39a94dbc37bb3b42c9f1345.rb | 12 +-- ...5dc6c0caa39828fa10ed37e642723a581acdb6d.rb | 13 +-- ...7de387eec0b57da248cc4e74edefcfcb55bd204.rb | 12 +-- ...aadebbded05e24bc9853c39b2241436f96d41ef.rb | 12 +-- ...b6b0b1e1c5cf4579e66eadb083885884dc0b648.rb | 13 +-- ...5ffc1b2b1282d79097f4ce84b519d326dce1247.rb | 13 +-- ...b431a54ddae802fd1c59850cbbc408a05d3deb8.rb | 12 +-- ...c121fe8b1eaa6ea0babbc3b8ce6e12adfcc3719.rb | 12 +-- ...d0655c4d2073eda4235084e1d0e558f0251be8a.rb | 15 +++- ...e976940471b3f683eeebb268f095b7ff1c898c1.rb | 12 +-- ...8c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb | 22 +++-- ...12fc00c0da67045111928bd5c8a350e5be18c41.rb | 12 +-- ...5eb6347f0629b37bf698200022a683b7efb10ed.rb | 15 +++- ...ae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb | 12 +-- ...c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb | 22 +++-- ...b850bf60461afbdd83317b248b3f687e52ff18e.rb | 17 +++- ...99b381aaf00ce85ee5d4a12770ea369b30d2a41.rb | 12 +-- ...cc84abfe1fd26a485fc2b1b954c281ce9d358fd.rb | 12 +-- ...ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb | 12 +-- ...d2b609f0c8e7b338f767b08c5ac712fac809d31.rb | 30 ++++--- ...4dd444f86cfc66c97c5e3eecb69fc5b86ea6539.rb | 17 +++- ...dcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb | 30 ++++--- ...65648a832414f2144ce795d75b6045a1ec2e252.rb | 12 +-- ...b587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb | 22 +++-- ...e188ec5f09c187a7a92784d4b97aa251b15a93c.rb | 12 +-- ...4cd15d2eb0bc25c89045873cf807f7533e4788d.rb | 12 +-- ...d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e.rb | 12 +-- ...3b3d43ad45e1b0f601848c65b067f9e9b40528b.rb | 12 +-- ...1f0f3074a929e519e85f6a5c03a7d1fd976bfe4.rb | 25 +++--- ...3cd526a553b3b47c6dd0d6dc62175263cdc646e.rb | 18 ++-- ...dd0bb57f81671704475d1e5163405f7b4d4b454.rb | 18 ++-- ...5e88eb34369fb48113b9eda7a92e07b372f3cb7.rb | 18 ++-- ...417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb | 22 +++-- ...a63c4a5f5c2b51e6e7e5df94017dc98b20e397a.rb | 12 +-- ...e450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb | 25 +++--- ...f1599aa8b3cb35f79dcaea7a8b48704ecf42a19.rb | 12 +-- ...1237c55f6778f53b369cf22ff81979b2fe340bb.rb | 18 ++-- ...3cf764b2f97ac3efe366ddd07ad902fb6928fd7.rb | 22 +++-- ...831493b564a8632d1da5cc0fe44af45713cfeb6.rb | 12 +-- ...4929d2a8af4629477103af6f1cfb3bebce80883.rb | 12 +-- ...6b3c1a40c8a0bd026975a262774bf52aec55107.rb | 15 +++- ...4f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb | 12 +-- ...784a31a1c26f6d2157e585205ebb63dd19ff90f.rb | 12 +-- ...b157f49586a3ca84d55837f97ff466767dd3445.rb | 37 ++++---- ...5ed813688b116fdce9e866ad2fef2e734167337.rb | 24 ++++-- ...ee9454b96efa9e343f9e8105f2fa4529265ea05.rb | 24 ++++-- ...b7203920d3d786ac40af8e0d5104683335f11be.rb | 46 +++++++--- ...5d5020664b11fd2708859275de41d5ab9d104cf.rb | 46 +++++++--- ...8af6c81cb28a37bf3a546970bf64224402f8bd4.rb | 46 +++++++--- ...19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb | 46 +++++++--- ...561ec515222887a1e004555981169199d841024.rb | 58 ++++++++----- ...0854a16b9b4b73893627ccb730d97907837e320.rb | 2 +- ...155f455ad56bd871c8225bcca85ee25c1c197c4.rb | 71 +++++++++++----- ...3d1f350f13728651d74dd2a56bad1e4e4648f5e.rb | 46 +++++++--- ...a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb | 46 +++++++--- ...84362aa891ab565e4cf904cd60be984a7941acd.rb | 2 +- ...0a4471ee8f24f2ecc0ad1ccbd4633fa6fa36654.rb | 2 +- ...60a7605ae87b9b40426e3123b12a91bfe2036f3.rb | 2 +- ...be9cff3c43b979739af1681b61a3d585725577b.rb | 71 +++++++++++----- ...07144cc3d0ac50415f3a2e061be6da672c914ba.rb | 46 +++++++--- ...44469d65b4efd2e5951513ed7cbf773657f1283.rb | 46 +++++++--- ...12f3f1e614cb9c829b8d1590d228cc6a9506a03.rb | 2 +- ...99b9225bcb0d019d9d60884be583eb31bb5f44e.rb | 84 +++++++++++++----- ...d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb | 50 ++++++++--- ...df979b8b244294bbc29bbe8f7f6dd6bf89c6820.rb | 2 +- ...2e412d1938ec3ff79751f0e85f31bc52f7e3722.rb | 50 ++++++++--- ...886817dc06a87bdeef50544c0d6c12de13a8148.rb | 50 ++++++++--- ...d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb | 50 ++++++++--- ...8a58f2fcdafddacb4a08439ea2ee163ff645d1d.rb | 2 +- ...34252e0c5f8b03957a2e529719d4101699a894a.rb | 84 +++++++++++++----- ...b143503744b9d6c22e479941488d6a9e6e3f1c5.rb | 2 +- ...c6ea8a57519f219a10c9d6a6d199dd813680226.rb | 2 +- ...dbad1709854c527793f6401666e45a791b7c793.rb | 50 ++++++++--- ...5d7bb2dad0f8172d1c02c0311a00c4695933beb.rb | 2 +- ...629fa2eea681f639a0c18305d4548850dde3450.rb | 2 +- ...4761ae31db09ce9140ca55cb6986a5ea9110abc.rb | 50 ++++++++--- ...fdb74e7b217d06c93172a8243f8547f947ee6d1.rb | 84 +++++++++++++----- ...9d56de82ddd00d822d6100034f3075ef1709cd2.rb | 84 +++++++++++++----- ...67e80e70619717709e3180e552a11a285036a54.rb | 50 ++++++++--- ...b3c5cf73a0a6b7f2b3895a56dbc443806700971.rb | 50 ++++++++--- ...b7626dd8b8a50f7685920487e992528834f6775.rb | 2 +- ...e5c8d8738927eb715941480b3726fa764cc50ed.rb | 5 +- ...e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb | 83 +++++++++++++----- ...ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb | 83 +++++++++++++----- ...fba7abef941659c229c2636aa0905c28652ee3f.rb | 50 ++++++++--- ...2f6b69e698bb579baefb35a3fb0346632fa2c4d.rb | 83 +++++++++++++----- ...7f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb | 50 ++++++++--- ...2199dd358616182fb49c992330fb05e42eaa423.rb | 5 +- ...d60d4bd625a7fe2439db781a5fc91bb69684903.rb | 5 +- ...75b0c335a4987f12d17d3b4adb8dc430432b082.rb | 5 +- ...c287babd169c70013b752da2713dfb96d9a503f.rb | 83 +++++++++++++----- ...ebd80372a00285a5c486ef72917f935eb8f91be.rb | 5 +- ...d0e9dc4e27475b5ab7dc59141daaa2626b8a760.rb | 5 +- ...ddeb6374fc99723cef3b3baafe48ac78fce13b4.rb | 5 +- ...b91dd613d38b806a16bed1b364c084ad63d1a1f.rb | 50 ++++++++--- ...3f1cf7f55b985fd6d989880ec3599724fe40a26.rb | 5 +- ...13b24f94b260dd6394bdb2433d2a78e37078d5c.rb | 50 ++++++++--- ...1596c76d0d93d8a36378ba976f034f140618d59.rb | 50 ++++++++--- ...45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb | 50 ++++++++--- ...8edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb | 83 +++++++++++++----- ...c943bf313b5b4546e47b830e70de6bbd6a0ba57.rb | 5 +- ...b48299781548c9bc452eac6df39902547c884ed.rb | 83 +++++++++++++----- ...7169e68b33cad12e272bb4896d71fd0d4fd98bb.rb | 50 ++++++++--- ...4a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb | 50 ++++++++--- ...983d313db4a441a3762c8861ca405aa0331c0c8.rb | 50 ++++++++--- ...fdc2b2c65f3d782e52c01b546399eee8aa466dc.rb | 5 +- ...143da129b44b931a1c180e2b103e993dd2474fd.rb | 5 +- ...7c8d90bd86bc698d156630e8803de433a640090.rb | 83 +++++++++++++----- ...bf4c513db255ab7248cef9f0f96b4403df29852.rb | 50 ++++++++--- ...e592d3efa165bc2bab8b40426370bd50cb0b027.rb | 50 ++++++++--- ...bf3b2a9815c0cd6e4280cd99474d34102804eb2.rb | 50 ++++++++--- ...046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb | 50 ++++++++--- ...2262bfa6f1bffd1e9ddc845276dfaebb7c8f0b9.rb | 5 +- ...462ab2b79c7f29fb866da6e087e45261570a09c.rb | 5 +- ...4af69206091c7f14a941f2dd77a79a7682a1184.rb | 5 +- ...40609514178a4bb96a3cd44ffdfede398a77610.rb | 5 +- ...5594d4b6cbecda86ec968fa940c6c09937db70f.rb | 55 +++++++++--- ...87920279e1c7892042ff27d76315d55e4651db9.rb | 5 +- ...e46fbc4d85f5df8b6f18630787ad281786a3512.rb | 5 +- ...d631c824a37b236d1dc9686b224a573fd6048b4.rb | 5 +- ...8037b6260865346802321dd2256b8ad1d857e63.rb | 85 +++++++++++++++---- ...a4777827fe1fb729ca35acd99c8013936172a0d.rb | 55 +++++++++--- ...0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb | 85 +++++++++++++++---- ...9c3cb85f9e55046776471fed05ec441581d1969.rb | 72 ++++++++++++---- ...b265082cac9486923c709d48ee5dde080e243ff.rb | 43 ++++++++-- ...376d41cff4473142a97ac1ff1eab433859dc3d4.rb | 2 +- ...fca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb | 2 +- 812 files changed, 9338 insertions(+), 5297 deletions(-) diff --git a/lib/one_gadget/builds/libc-2.19-01e14462fc6097604edd54a2ee63664c65b2c12b.rb b/lib/one_gadget/builds/libc-2.19-01e14462fc6097604edd54a2ee63664c65b2c12b.rb index ccbf991b..90e3db0b 100644 --- a/lib/one_gadget/builds/libc-2.19-01e14462fc6097604edd54a2ee63664c65b2c12b.rb +++ b/lib/one_gadget/builds/libc-2.19-01e14462fc6097604edd54a2ee63664c65b2c12b.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248135, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248142, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248151, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248187, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248191, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408704, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408708, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408714, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408718, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-01e23c38126dad7db569b176808a7c54db64a086.rb b/lib/one_gadget/builds/libc-2.19-01e23c38126dad7db569b176808a7c54db64a086.rb index 747e9121..56ac078a 100644 --- a/lib/one_gadget/builds/libc-2.19-01e23c38126dad7db569b176808a7c54db64a086.rb +++ b/lib/one_gadget/builds/libc-2.19-01e23c38126dad7db569b176808a7c54db64a086.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274841, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274848, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274932, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755165, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755244, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870272, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 874871, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874883, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-02093f433808b294939b7a84c436c9eb4ec7f084.rb b/lib/one_gadget/builds/libc-2.19-02093f433808b294939b7a84c436c9eb4ec7f084.rb index f09334c5..7c0f479d 100644 --- a/lib/one_gadget/builds/libc-2.19-02093f433808b294939b7a84c436c9eb4ec7f084.rb +++ b/lib/one_gadget/builds/libc-2.19-02093f433808b294939b7a84c436c9eb4ec7f084.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454764, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454786, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454790, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454794, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610067, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610071, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610077, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610081, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-0301225d38bb881df8962a45d8c7f97449628511.rb b/lib/one_gadget/builds/libc-2.19-0301225d38bb881df8962a45d8c7f97449628511.rb index d5a17b35..feda9dae 100644 --- a/lib/one_gadget/builds/libc-2.19-0301225d38bb881df8962a45d8c7f97449628511.rb +++ b/lib/one_gadget/builds/libc-2.19-0301225d38bb881df8962a45d8c7f97449628511.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261583, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415184, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415188, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415194, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415198, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-036830b8f13a440ab4f419e46889b60e6e2b4211.rb b/lib/one_gadget/builds/libc-2.19-036830b8f13a440ab4f419e46889b60e6e2b4211.rb index 2c290f2d..0c678839 100644 --- a/lib/one_gadget/builds/libc-2.19-036830b8f13a440ab4f419e46889b60e6e2b4211.rb +++ b/lib/one_gadget/builds/libc-2.19-036830b8f13a440ab4f419e46889b60e6e2b4211.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248167, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248174, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248183, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248219, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248223, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406672, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406676, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406682, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406686, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-03913aa050d557a99cc18f7b10e35f06e7c9265e.rb b/lib/one_gadget/builds/libc-2.19-03913aa050d557a99cc18f7b10e35f06e7c9265e.rb index 724853fb..0eecf268 100644 --- a/lib/one_gadget/builds/libc-2.19-03913aa050d557a99cc18f7b10e35f06e7c9265e.rb +++ b/lib/one_gadget/builds/libc-2.19-03913aa050d557a99cc18f7b10e35f06e7c9265e.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267273, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267280, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267364, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 752861, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 752940, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 868503, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 868515, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 883824, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-05438cea9c1f9b3bbca9d9718319ee3742937f2e.rb b/lib/one_gadget/builds/libc-2.19-05438cea9c1f9b3bbca9d9718319ee3742937f2e.rb index 149fe7eb..06b1d68a 100644 --- a/lib/one_gadget/builds/libc-2.19-05438cea9c1f9b3bbca9d9718319ee3742937f2e.rb +++ b/lib/one_gadget/builds/libc-2.19-05438cea9c1f9b3bbca9d9718319ee3742937f2e.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248407, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248414, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248423, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248459, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248463, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406240, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406244, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406250, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406254, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-05d284a054b0c444fe40e91b25155a637b5cd35b.rb b/lib/one_gadget/builds/libc-2.19-05d284a054b0c444fe40e91b25155a637b5cd35b.rb index 57b3e487..e3e95c86 100644 --- a/lib/one_gadget/builds/libc-2.19-05d284a054b0c444fe40e91b25155a637b5cd35b.rb +++ b/lib/one_gadget/builds/libc-2.19-05d284a054b0c444fe40e91b25155a637b5cd35b.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254311, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254318, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254327, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254363, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254367, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414519, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414523, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414529, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414533, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-081d1ade5e735e7bbd0d2c1655a1eb7a0ab546ad.rb b/lib/one_gadget/builds/libc-2.19-081d1ade5e735e7bbd0d2c1655a1eb7a0ab546ad.rb index 9469efa0..0cb56123 100644 --- a/lib/one_gadget/builds/libc-2.19-081d1ade5e735e7bbd0d2c1655a1eb7a0ab546ad.rb +++ b/lib/one_gadget/builds/libc-2.19-081d1ade5e735e7bbd0d2c1655a1eb7a0ab546ad.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261399, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261406, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261415, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261451, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261455, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412768, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412772, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412778, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412782, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-09aa28fd1054ee91085a7e13da58891c2d22058d.rb b/lib/one_gadget/builds/libc-2.19-09aa28fd1054ee91085a7e13da58891c2d22058d.rb index a38f3a5c..7d655fad 100644 --- a/lib/one_gadget/builds/libc-2.19-09aa28fd1054ee91085a7e13da58891c2d22058d.rb +++ b/lib/one_gadget/builds/libc-2.19-09aa28fd1054ee91085a7e13da58891c2d22058d.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 263451, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 263458, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 263542, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 701565, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 701644, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 823243, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 823255, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 838384, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-0b3a9eb5ffbd93527a046585e2eb0c8ae804498b.rb b/lib/one_gadget/builds/libc-2.19-0b3a9eb5ffbd93527a046585e2eb0c8ae804498b.rb index 701be685..12d520fa 100644 --- a/lib/one_gadget/builds/libc-2.19-0b3a9eb5ffbd93527a046585e2eb0c8ae804498b.rb +++ b/lib/one_gadget/builds/libc-2.19-0b3a9eb5ffbd93527a046585e2eb0c8ae804498b.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412615, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412619, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412625, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412629, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-0ca781d9dae5d7689f112aa047b949ba253a1a24.rb b/lib/one_gadget/builds/libc-2.19-0ca781d9dae5d7689f112aa047b949ba253a1a24.rb index e0f365cb..1964904e 100644 --- a/lib/one_gadget/builds/libc-2.19-0ca781d9dae5d7689f112aa047b949ba253a1a24.rb +++ b/lib/one_gadget/builds/libc-2.19-0ca781d9dae5d7689f112aa047b949ba253a1a24.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 253767, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 253774, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 253783, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 253819, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 253823, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414439, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414443, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414449, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414453, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-0cfe51d12d5ffdc0b80469a74e6e5afb8130cafb.rb b/lib/one_gadget/builds/libc-2.19-0cfe51d12d5ffdc0b80469a74e6e5afb8130cafb.rb index f595bed1..19465c97 100644 --- a/lib/one_gadget/builds/libc-2.19-0cfe51d12d5ffdc0b80469a74e6e5afb8130cafb.rb +++ b/lib/one_gadget/builds/libc-2.19-0cfe51d12d5ffdc0b80469a74e6e5afb8130cafb.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 275065, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 275072, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 275156, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756589, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 756668, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 871776, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 876463, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 876475, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-0dd7691bd47c4270c2ce9343dff1fbe0e27ad9f3.rb b/lib/one_gadget/builds/libc-2.19-0dd7691bd47c4270c2ce9343dff1fbe0e27ad9f3.rb index 3774e301..ee9e0cbf 100644 --- a/lib/one_gadget/builds/libc-2.19-0dd7691bd47c4270c2ce9343dff1fbe0e27ad9f3.rb +++ b/lib/one_gadget/builds/libc-2.19-0dd7691bd47c4270c2ce9343dff1fbe0e27ad9f3.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454556, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454578, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454582, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454586, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609880, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609884, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609890, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609894, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-0e1a9dd2ea0a174b53ad15979b049628cb2d7fd0.rb b/lib/one_gadget/builds/libc-2.19-0e1a9dd2ea0a174b53ad15979b049628cb2d7fd0.rb index 2b14f896..1f52922b 100644 --- a/lib/one_gadget/builds/libc-2.19-0e1a9dd2ea0a174b53ad15979b049628cb2d7fd0.rb +++ b/lib/one_gadget/builds/libc-2.19-0e1a9dd2ea0a174b53ad15979b049628cb2d7fd0.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260991, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 260998, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261007, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261043, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261047, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412368, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412372, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412378, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412382, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-0fe755222a275227e03414bf80fe98560038cf7e.rb b/lib/one_gadget/builds/libc-2.19-0fe755222a275227e03414bf80fe98560038cf7e.rb index ca644d14..edd02343 100644 --- a/lib/one_gadget/builds/libc-2.19-0fe755222a275227e03414bf80fe98560038cf7e.rb +++ b/lib/one_gadget/builds/libc-2.19-0fe755222a275227e03414bf80fe98560038cf7e.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412615, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412619, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412625, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412629, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-10c913aa6554f3128781afb7846ac481b64c10b6.rb b/lib/one_gadget/builds/libc-2.19-10c913aa6554f3128781afb7846ac481b64c10b6.rb index 7a50e014..73745da0 100644 --- a/lib/one_gadget/builds/libc-2.19-10c913aa6554f3128781afb7846ac481b64c10b6.rb +++ b/lib/one_gadget/builds/libc-2.19-10c913aa6554f3128781afb7846ac481b64c10b6.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454556, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454578, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454582, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454586, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609859, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609863, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609869, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609873, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-1142f4753ddff69c217e1e539272eaaf7d75da4c.rb b/lib/one_gadget/builds/libc-2.19-1142f4753ddff69c217e1e539272eaaf7d75da4c.rb index 4472b4cf..bba2f719 100644 --- a/lib/one_gadget/builds/libc-2.19-1142f4753ddff69c217e1e539272eaaf7d75da4c.rb +++ b/lib/one_gadget/builds/libc-2.19-1142f4753ddff69c217e1e539272eaaf7d75da4c.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261639, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261646, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261655, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261691, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261695, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414983, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414987, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414993, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414997, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-12d7f074b08cab569614830552b5fe8a32707295.rb b/lib/one_gadget/builds/libc-2.19-12d7f074b08cab569614830552b5fe8a32707295.rb index 2c8c2efd..c9993bc5 100644 --- a/lib/one_gadget/builds/libc-2.19-12d7f074b08cab569614830552b5fe8a32707295.rb +++ b/lib/one_gadget/builds/libc-2.19-12d7f074b08cab569614830552b5fe8a32707295.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267129, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267136, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267220, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754893, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754972, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870503, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870515, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885616, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-145bd51d758bf9c3e3b45949a2023cbaa0941e37.rb b/lib/one_gadget/builds/libc-2.19-145bd51d758bf9c3e3b45949a2023cbaa0941e37.rb index 540c7c5b..bbcd14af 100644 --- a/lib/one_gadget/builds/libc-2.19-145bd51d758bf9c3e3b45949a2023cbaa0941e37.rb +++ b/lib/one_gadget/builds/libc-2.19-145bd51d758bf9c3e3b45949a2023cbaa0941e37.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754733, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754812, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870615, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870627, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885936, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-15b6f6d06e3435a22c15398ce99c3d649112f576.rb b/lib/one_gadget/builds/libc-2.19-15b6f6d06e3435a22c15398ce99c3d649112f576.rb index a2430e20..59f40ab6 100644 --- a/lib/one_gadget/builds/libc-2.19-15b6f6d06e3435a22c15398ce99c3d649112f576.rb +++ b/lib/one_gadget/builds/libc-2.19-15b6f6d06e3435a22c15398ce99c3d649112f576.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274185, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274192, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274276, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753293, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 753372, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 868592, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 873336, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 873348, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-15c42742a61d7b2fe40dca9ca659a8f8f8ffea32.rb b/lib/one_gadget/builds/libc-2.19-15c42742a61d7b2fe40dca9ca659a8f8f8ffea32.rb index 13b29bea..9c8711e5 100644 --- a/lib/one_gadget/builds/libc-2.19-15c42742a61d7b2fe40dca9ca659a8f8f8ffea32.rb +++ b/lib/one_gadget/builds/libc-2.19-15c42742a61d7b2fe40dca9ca659a8f8f8ffea32.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267129, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267136, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267220, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754781, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754860, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870663, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870675, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885984, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-1606a4f3d8e807c5bf9b273ab202901115aa7a1e.rb b/lib/one_gadget/builds/libc-2.19-1606a4f3d8e807c5bf9b273ab202901115aa7a1e.rb index a77d12fc..84b4483d 100644 --- a/lib/one_gadget/builds/libc-2.19-1606a4f3d8e807c5bf9b273ab202901115aa7a1e.rb +++ b/lib/one_gadget/builds/libc-2.19-1606a4f3d8e807c5bf9b273ab202901115aa7a1e.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248407, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248414, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248423, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248459, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248463, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406240, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406244, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406250, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406254, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-17e8467dfe433c3622e6874d5795f6ac8edc8951.rb b/lib/one_gadget/builds/libc-2.19-17e8467dfe433c3622e6874d5795f6ac8edc8951.rb index b3ad67fc..bad70697 100644 --- a/lib/one_gadget/builds/libc-2.19-17e8467dfe433c3622e6874d5795f6ac8edc8951.rb +++ b/lib/one_gadget/builds/libc-2.19-17e8467dfe433c3622e6874d5795f6ac8edc8951.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412647, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412651, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412657, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412661, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-1d7ac0a26e8dd7a9b8443fe4a5f59e46ee16ce74.rb b/lib/one_gadget/builds/libc-2.19-1d7ac0a26e8dd7a9b8443fe4a5f59e46ee16ce74.rb index 74e137ab..44364290 100644 --- a/lib/one_gadget/builds/libc-2.19-1d7ac0a26e8dd7a9b8443fe4a5f59e46ee16ce74.rb +++ b/lib/one_gadget/builds/libc-2.19-1d7ac0a26e8dd7a9b8443fe4a5f59e46ee16ce74.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454364, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454386, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454390, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454394, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 607443, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 607447, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607453, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607457, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-1dae2bc5818d22b565ed441211d0e2df6e942c25.rb b/lib/one_gadget/builds/libc-2.19-1dae2bc5818d22b565ed441211d0e2df6e942c25.rb index 1fcd4050..7c7b857a 100644 --- a/lib/one_gadget/builds/libc-2.19-1dae2bc5818d22b565ed441211d0e2df6e942c25.rb +++ b/lib/one_gadget/builds/libc-2.19-1dae2bc5818d22b565ed441211d0e2df6e942c25.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 460812, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 460834, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 460838, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 460842, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610008, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610012, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610018, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610022, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-1db2291c040579630f551b3568d0bc8758aa25d7.rb b/lib/one_gadget/builds/libc-2.19-1db2291c040579630f551b3568d0bc8758aa25d7.rb index 6bd43d0b..205a920b 100644 --- a/lib/one_gadget/builds/libc-2.19-1db2291c040579630f551b3568d0bc8758aa25d7.rb +++ b/lib/one_gadget/builds/libc-2.19-1db2291c040579630f551b3568d0bc8758aa25d7.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262991, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262998, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 263082, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759648, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759868, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 883580, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 883592, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 898673, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-1dcad38451d0f4e339ac91079d6a20e40015d7f4.rb b/lib/one_gadget/builds/libc-2.19-1dcad38451d0f4e339ac91079d6a20e40015d7f4.rb index fba96b5b..f167352d 100644 --- a/lib/one_gadget/builds/libc-2.19-1dcad38451d0f4e339ac91079d6a20e40015d7f4.rb +++ b/lib/one_gadget/builds/libc-2.19-1dcad38451d0f4e339ac91079d6a20e40015d7f4.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249047, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249054, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249063, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249099, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249103, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409632, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409636, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409642, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409646, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-20f983ed5f4a8d177a9839b4abe44ffa35e1eade.rb b/lib/one_gadget/builds/libc-2.19-20f983ed5f4a8d177a9839b4abe44ffa35e1eade.rb index e0aeae27..ff983ec7 100644 --- a/lib/one_gadget/builds/libc-2.19-20f983ed5f4a8d177a9839b4abe44ffa35e1eade.rb +++ b/lib/one_gadget/builds/libc-2.19-20f983ed5f4a8d177a9839b4abe44ffa35e1eade.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 256039, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 256046, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 256055, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 256091, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 256095, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409184, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409188, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409194, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409198, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-21f20ffd821a693d32e258aa6a64e6bde5c5bdaf.rb b/lib/one_gadget/builds/libc-2.19-21f20ffd821a693d32e258aa6a64e6bde5c5bdaf.rb index 49af62a9..a807f34b 100644 --- a/lib/one_gadget/builds/libc-2.19-21f20ffd821a693d32e258aa6a64e6bde5c5bdaf.rb +++ b/lib/one_gadget/builds/libc-2.19-21f20ffd821a693d32e258aa6a64e6bde5c5bdaf.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 460812, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 460834, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 460838, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 460842, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610008, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610012, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610018, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610022, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-22325505e6f257ab00ca32d46cd444c903d5dc89.rb b/lib/one_gadget/builds/libc-2.19-22325505e6f257ab00ca32d46cd444c903d5dc89.rb index 8a63b5fc..121a23fe 100644 --- a/lib/one_gadget/builds/libc-2.19-22325505e6f257ab00ca32d46cd444c903d5dc89.rb +++ b/lib/one_gadget/builds/libc-2.19-22325505e6f257ab00ca32d46cd444c903d5dc89.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262187, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 262194, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262203, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262239, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 262243, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414981, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414985, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414991, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414995, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-22ea459c5bf13179544fc0bc92372ebe52792f53.rb b/lib/one_gadget/builds/libc-2.19-22ea459c5bf13179544fc0bc92372ebe52792f53.rb index dc03bea6..73a29b0a 100644 --- a/lib/one_gadget/builds/libc-2.19-22ea459c5bf13179544fc0bc92372ebe52792f53.rb +++ b/lib/one_gadget/builds/libc-2.19-22ea459c5bf13179544fc0bc92372ebe52792f53.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406400, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406404, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406410, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406414, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-267899ea9a83d7e5bd2ae3e53943cd57da6a01e7.rb b/lib/one_gadget/builds/libc-2.19-267899ea9a83d7e5bd2ae3e53943cd57da6a01e7.rb index 47920a3b..31ca1013 100644 --- a/lib/one_gadget/builds/libc-2.19-267899ea9a83d7e5bd2ae3e53943cd57da6a01e7.rb +++ b/lib/one_gadget/builds/libc-2.19-267899ea9a83d7e5bd2ae3e53943cd57da6a01e7.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754733, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754812, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870631, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870643, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885952, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-26d70c7187d46c01bea7c22e8428fd6569d0f29c.rb b/lib/one_gadget/builds/libc-2.19-26d70c7187d46c01bea7c22e8428fd6569d0f29c.rb index aa563631..2f38f49e 100644 --- a/lib/one_gadget/builds/libc-2.19-26d70c7187d46c01bea7c22e8428fd6569d0f29c.rb +++ b/lib/one_gadget/builds/libc-2.19-26d70c7187d46c01bea7c22e8428fd6569d0f29c.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412647, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412651, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412657, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412661, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-27ae159e7958021d9c784daa60ac582aeb2e380c.rb b/lib/one_gadget/builds/libc-2.19-27ae159e7958021d9c784daa60ac582aeb2e380c.rb index fe7f4509..3781da97 100644 --- a/lib/one_gadget/builds/libc-2.19-27ae159e7958021d9c784daa60ac582aeb2e380c.rb +++ b/lib/one_gadget/builds/libc-2.19-27ae159e7958021d9c784daa60ac582aeb2e380c.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254967, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254974, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254983, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255019, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255023, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415207, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415211, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415217, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415221, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-286f68616b18ea86201b1bd81c4e39ab441a876f.rb b/lib/one_gadget/builds/libc-2.19-286f68616b18ea86201b1bd81c4e39ab441a876f.rb index 14228a60..26f5cc42 100644 --- a/lib/one_gadget/builds/libc-2.19-286f68616b18ea86201b1bd81c4e39ab441a876f.rb +++ b/lib/one_gadget/builds/libc-2.19-286f68616b18ea86201b1bd81c4e39ab441a876f.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254967, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254974, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254983, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255019, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255023, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415175, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415179, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415185, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415189, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-29ad0fae22588909ae24075cf3d30123d3563a3c.rb b/lib/one_gadget/builds/libc-2.19-29ad0fae22588909ae24075cf3d30123d3563a3c.rb index e240e1cf..b328a516 100644 --- a/lib/one_gadget/builds/libc-2.19-29ad0fae22588909ae24075cf3d30123d3563a3c.rb +++ b/lib/one_gadget/builds/libc-2.19-29ad0fae22588909ae24075cf3d30123d3563a3c.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262555, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262562, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262646, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 701405, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 701484, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 823359, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 823371, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 838688, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-29c9abe596db30c86fe28d30dc275485c7e3f240.rb b/lib/one_gadget/builds/libc-2.19-29c9abe596db30c86fe28d30dc275485c7e3f240.rb index ece70e6a..5b2d16ee 100644 --- a/lib/one_gadget/builds/libc-2.19-29c9abe596db30c86fe28d30dc275485c7e3f240.rb +++ b/lib/one_gadget/builds/libc-2.19-29c9abe596db30c86fe28d30dc275485c7e3f240.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412647, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412651, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412657, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412661, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-2aebf61fd92ce11ccbc35f4f5e1da8843415ff2f.rb b/lib/one_gadget/builds/libc-2.19-2aebf61fd92ce11ccbc35f4f5e1da8843415ff2f.rb index 3c25d438..aaadb77d 100644 --- a/lib/one_gadget/builds/libc-2.19-2aebf61fd92ce11ccbc35f4f5e1da8843415ff2f.rb +++ b/lib/one_gadget/builds/libc-2.19-2aebf61fd92ce11ccbc35f4f5e1da8843415ff2f.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274841, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274848, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274932, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755165, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755244, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870176, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 874775, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874787, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-2b7794adc3efbe94dd7f17bb28382f42415ef32c.rb b/lib/one_gadget/builds/libc-2.19-2b7794adc3efbe94dd7f17bb28382f42415ef32c.rb index cfa7c455..06a919d1 100644 --- a/lib/one_gadget/builds/libc-2.19-2b7794adc3efbe94dd7f17bb28382f42415ef32c.rb +++ b/lib/one_gadget/builds/libc-2.19-2b7794adc3efbe94dd7f17bb28382f42415ef32c.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606899, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606903, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 606909, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 606913, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-2bb9296b7b2843ef007f7de1b2995bc33ec8294d.rb b/lib/one_gadget/builds/libc-2.19-2bb9296b7b2843ef007f7de1b2995bc33ec8294d.rb index 25381905..2cc3ff4b 100644 --- a/lib/one_gadget/builds/libc-2.19-2bb9296b7b2843ef007f7de1b2995bc33ec8294d.rb +++ b/lib/one_gadget/builds/libc-2.19-2bb9296b7b2843ef007f7de1b2995bc33ec8294d.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412615, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412619, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412625, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412629, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-2bba9d358bac63ff81597767b5bc229316bd12e0.rb b/lib/one_gadget/builds/libc-2.19-2bba9d358bac63ff81597767b5bc229316bd12e0.rb index f17ada91..49268982 100644 --- a/lib/one_gadget/builds/libc-2.19-2bba9d358bac63ff81597767b5bc229316bd12e0.rb +++ b/lib/one_gadget/builds/libc-2.19-2bba9d358bac63ff81597767b5bc229316bd12e0.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267033, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267040, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267124, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765053, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765132, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 880919, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880931, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896240, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-2dad3f021a0e10d56a36a3e6e83c641013bb8d0d.rb b/lib/one_gadget/builds/libc-2.19-2dad3f021a0e10d56a36a3e6e83c641013bb8d0d.rb index 33eda5df..58528120 100644 --- a/lib/one_gadget/builds/libc-2.19-2dad3f021a0e10d56a36a3e6e83c641013bb8d0d.rb +++ b/lib/one_gadget/builds/libc-2.19-2dad3f021a0e10d56a36a3e6e83c641013bb8d0d.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262991, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262998, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 263082, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759648, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759868, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 883580, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 883592, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 898673, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-2dc3a77a63a29cdfce5000c5e562da4574560802.rb b/lib/one_gadget/builds/libc-2.19-2dc3a77a63a29cdfce5000c5e562da4574560802.rb index 3fe9f620..0466a668 100644 --- a/lib/one_gadget/builds/libc-2.19-2dc3a77a63a29cdfce5000c5e562da4574560802.rb +++ b/lib/one_gadget/builds/libc-2.19-2dc3a77a63a29cdfce5000c5e562da4574560802.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406400, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406404, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406410, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406414, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-2ee2c632ffc91afb8662573f6870c70a03fecaad.rb b/lib/one_gadget/builds/libc-2.19-2ee2c632ffc91afb8662573f6870c70a03fecaad.rb index 9f48af7b..155ffd83 100644 --- a/lib/one_gadget/builds/libc-2.19-2ee2c632ffc91afb8662573f6870c70a03fecaad.rb +++ b/lib/one_gadget/builds/libc-2.19-2ee2c632ffc91afb8662573f6870c70a03fecaad.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 453852, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 453874, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 453878, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 453882, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610323, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610327, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610333, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610337, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-2fc2eb810e87cbb9d2a9c79bb1aa31c3b84330c0.rb b/lib/one_gadget/builds/libc-2.19-2fc2eb810e87cbb9d2a9c79bb1aa31c3b84330c0.rb index b622381b..b0c47ab5 100644 --- a/lib/one_gadget/builds/libc-2.19-2fc2eb810e87cbb9d2a9c79bb1aa31c3b84330c0.rb +++ b/lib/one_gadget/builds/libc-2.19-2fc2eb810e87cbb9d2a9c79bb1aa31c3b84330c0.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 256039, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 256046, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 256055, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 256091, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 256095, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409184, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409188, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409194, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409198, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-309303fe5b44867525d535b4b8df1d9890128765.rb b/lib/one_gadget/builds/libc-2.19-309303fe5b44867525d535b4b8df1d9890128765.rb index 644fbcc0..813c21ea 100644 --- a/lib/one_gadget/builds/libc-2.19-309303fe5b44867525d535b4b8df1d9890128765.rb +++ b/lib/one_gadget/builds/libc-2.19-309303fe5b44867525d535b4b8df1d9890128765.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274185, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274192, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274276, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 764189, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 764268, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 878784, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 883528, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 883540, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-30c94dc66a1fe95180c3d68d2b89e576d5ae213c.rb b/lib/one_gadget/builds/libc-2.19-30c94dc66a1fe95180c3d68d2b89e576d5ae213c.rb index f2637e88..91bf4f8d 100644 --- a/lib/one_gadget/builds/libc-2.19-30c94dc66a1fe95180c3d68d2b89e576d5ae213c.rb +++ b/lib/one_gadget/builds/libc-2.19-30c94dc66a1fe95180c3d68d2b89e576d5ae213c.rb @@ -20,28 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 287953, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287960, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 288044, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 793843, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 793922, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 936648, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])") OneGadget::Gadget.add(build_id, 940229, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 940241, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 944157, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.19-30d456d1974436ca70141610c206bbd4e9ac127f.rb b/lib/one_gadget/builds/libc-2.19-30d456d1974436ca70141610c206bbd4e9ac127f.rb index 2860a7bc..23c85b97 100644 --- a/lib/one_gadget/builds/libc-2.19-30d456d1974436ca70141610c206bbd4e9ac127f.rb +++ b/lib/one_gadget/builds/libc-2.19-30d456d1974436ca70141610c206bbd4e9ac127f.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412615, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412619, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412625, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412629, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-30dfa78b54091b3517212562fbe71c82031135df.rb b/lib/one_gadget/builds/libc-2.19-30dfa78b54091b3517212562fbe71c82031135df.rb index 11eff744..5841316c 100644 --- a/lib/one_gadget/builds/libc-2.19-30dfa78b54091b3517212562fbe71c82031135df.rb +++ b/lib/one_gadget/builds/libc-2.19-30dfa78b54091b3517212562fbe71c82031135df.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262523, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 262530, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262539, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262575, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 262579, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415317, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415321, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415327, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415331, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-319d6e67364b59468f00c62003e31f9698590885.rb b/lib/one_gadget/builds/libc-2.19-319d6e67364b59468f00c62003e31f9698590885.rb index 094e3f57..d979fb75 100644 --- a/lib/one_gadget/builds/libc-2.19-319d6e67364b59468f00c62003e31f9698590885.rb +++ b/lib/one_gadget/builds/libc-2.19-319d6e67364b59468f00c62003e31f9698590885.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261015, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261022, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261031, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261067, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261071, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414247, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414251, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414257, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414261, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-325f373d48d6e3eb950fb4a1841cee80adf696e4.rb b/lib/one_gadget/builds/libc-2.19-325f373d48d6e3eb950fb4a1841cee80adf696e4.rb index 415962ee..965ebcfa 100644 --- a/lib/one_gadget/builds/libc-2.19-325f373d48d6e3eb950fb4a1841cee80adf696e4.rb +++ b/lib/one_gadget/builds/libc-2.19-325f373d48d6e3eb950fb4a1841cee80adf696e4.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254967, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254974, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254983, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255019, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255023, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415207, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415211, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415217, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415221, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-335b30edc15f874730295594b30528ba178aeca7.rb b/lib/one_gadget/builds/libc-2.19-335b30edc15f874730295594b30528ba178aeca7.rb index 887fed47..92b83de9 100644 --- a/lib/one_gadget/builds/libc-2.19-335b30edc15f874730295594b30528ba178aeca7.rb +++ b/lib/one_gadget/builds/libc-2.19-335b30edc15f874730295594b30528ba178aeca7.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262523, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262530, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262614, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 700557, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 700636, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 822267, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 822279, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 837408, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-33adc3316a61d4db3e78e167be8f2d1c8b4a0474.rb b/lib/one_gadget/builds/libc-2.19-33adc3316a61d4db3e78e167be8f2d1c8b4a0474.rb index 673853d2..9b201e37 100644 --- a/lib/one_gadget/builds/libc-2.19-33adc3316a61d4db3e78e167be8f2d1c8b4a0474.rb +++ b/lib/one_gadget/builds/libc-2.19-33adc3316a61d4db3e78e167be8f2d1c8b4a0474.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261639, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261646, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261655, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261691, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261695, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414983, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414987, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414993, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414997, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-34eca1b0e54755d19a70d3a74b744911f746902a.rb b/lib/one_gadget/builds/libc-2.19-34eca1b0e54755d19a70d3a74b744911f746902a.rb index 12edcccc..dae7ae94 100644 --- a/lib/one_gadget/builds/libc-2.19-34eca1b0e54755d19a70d3a74b744911f746902a.rb +++ b/lib/one_gadget/builds/libc-2.19-34eca1b0e54755d19a70d3a74b744911f746902a.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262563, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 262570, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262579, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262615, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 262619, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415381, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415385, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415391, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415395, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-35597c5d9140178626b2989b0f3049c825f17249.rb b/lib/one_gadget/builds/libc-2.19-35597c5d9140178626b2989b0f3049c825f17249.rb index 8f8344c2..c2d43e72 100644 --- a/lib/one_gadget/builds/libc-2.19-35597c5d9140178626b2989b0f3049c825f17249.rb +++ b/lib/one_gadget/builds/libc-2.19-35597c5d9140178626b2989b0f3049c825f17249.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248167, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248174, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248183, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248219, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248223, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408992, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408996, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409002, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409006, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-3565b3bf199d386bd0188a3690135b2ef82a559e.rb b/lib/one_gadget/builds/libc-2.19-3565b3bf199d386bd0188a3690135b2ef82a559e.rb index 2b31411b..c45439e9 100644 --- a/lib/one_gadget/builds/libc-2.19-3565b3bf199d386bd0188a3690135b2ef82a559e.rb +++ b/lib/one_gadget/builds/libc-2.19-3565b3bf199d386bd0188a3690135b2ef82a559e.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609347, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609351, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609357, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609361, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-365c74dde459303730e276b4d6022f1eacda06fd.rb b/lib/one_gadget/builds/libc-2.19-365c74dde459303730e276b4d6022f1eacda06fd.rb index f8cac2ee..d37a9e0f 100644 --- a/lib/one_gadget/builds/libc-2.19-365c74dde459303730e276b4d6022f1eacda06fd.rb +++ b/lib/one_gadget/builds/libc-2.19-365c74dde459303730e276b4d6022f1eacda06fd.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248407, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248414, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248423, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248459, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248463, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406240, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406244, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406250, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406254, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-3691e2c3b9f75fbaf99c93f201c86a2df07a98d2.rb b/lib/one_gadget/builds/libc-2.19-3691e2c3b9f75fbaf99c93f201c86a2df07a98d2.rb index 947c7075..44468105 100644 --- a/lib/one_gadget/builds/libc-2.19-3691e2c3b9f75fbaf99c93f201c86a2df07a98d2.rb +++ b/lib/one_gadget/builds/libc-2.19-3691e2c3b9f75fbaf99c93f201c86a2df07a98d2.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260991, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 260998, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261007, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261043, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261047, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412368, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412372, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412378, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412382, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-3701aa1820d0a1dc12ac27ffde0ca8c63c50ab4a.rb b/lib/one_gadget/builds/libc-2.19-3701aa1820d0a1dc12ac27ffde0ca8c63c50ab4a.rb index 4af64360..89dc2b47 100644 --- a/lib/one_gadget/builds/libc-2.19-3701aa1820d0a1dc12ac27ffde0ca8c63c50ab4a.rb +++ b/lib/one_gadget/builds/libc-2.19-3701aa1820d0a1dc12ac27ffde0ca8c63c50ab4a.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412775, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412779, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412785, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412789, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-3883c7733b2a0819e0c7c2dcbadfdac26e0e2b72.rb b/lib/one_gadget/builds/libc-2.19-3883c7733b2a0819e0c7c2dcbadfdac26e0e2b72.rb index 4714a6f0..cf2967e0 100644 --- a/lib/one_gadget/builds/libc-2.19-3883c7733b2a0819e0c7c2dcbadfdac26e0e2b72.rb +++ b/lib/one_gadget/builds/libc-2.19-3883c7733b2a0819e0c7c2dcbadfdac26e0e2b72.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 607171, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 607175, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607181, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607185, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-395c995bb2028f96efb60a6ebce75ed51d58c0b0.rb b/lib/one_gadget/builds/libc-2.19-395c995bb2028f96efb60a6ebce75ed51d58c0b0.rb index 1d62193c..b57ceb5e 100644 --- a/lib/one_gadget/builds/libc-2.19-395c995bb2028f96efb60a6ebce75ed51d58c0b0.rb +++ b/lib/one_gadget/builds/libc-2.19-395c995bb2028f96efb60a6ebce75ed51d58c0b0.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 453196, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 453218, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 453222, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 453226, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 607139, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 607143, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607149, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607153, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-39612ce36adeb6f7e92658cd62c737bc3a260586.rb b/lib/one_gadget/builds/libc-2.19-39612ce36adeb6f7e92658cd62c737bc3a260586.rb index 2d1f9f3e..e4f7db90 100644 --- a/lib/one_gadget/builds/libc-2.19-39612ce36adeb6f7e92658cd62c737bc3a260586.rb +++ b/lib/one_gadget/builds/libc-2.19-39612ce36adeb6f7e92658cd62c737bc3a260586.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248583, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408528, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408532, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408538, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408542, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-397c84e78c14cbffba39a48184db482211df9fb3.rb b/lib/one_gadget/builds/libc-2.19-397c84e78c14cbffba39a48184db482211df9fb3.rb index 6549c888..71879cfb 100644 --- a/lib/one_gadget/builds/libc-2.19-397c84e78c14cbffba39a48184db482211df9fb3.rb +++ b/lib/one_gadget/builds/libc-2.19-397c84e78c14cbffba39a48184db482211df9fb3.rb @@ -20,19 +20,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261720, + constraints: ["writable: x21+0x2e0", "{\"sh\", \"-c\", x22, x1, ...} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 261724, - constraints: ["writable: x21+0x2e0", "x3+0x9e0 == NULL"], + constraints: ["writable: x21+0x2e0", "x3+0x9e0 == NULL || {x3+0x9e0, \"-c\", x22, x1, ...} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 261732, - constraints: ["writable: x20", "writable: x21+0x2e0", "[x20] == NULL || x20 == NULL"], + constraints: ["writable: x20", "writable: x21+0x2e0", "[x20] == NULL || x20 == NULL || x20 is a valid argv"], effect: "execve(\"/bin/sh\", x20, environ)") OneGadget::Gadget.add(build_id, 261808, - constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x20] == NULL || x20 == NULL"], + constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x20] == NULL || x20 == NULL || x20 is a valid argv"], effect: "execve(\"/bin/sh\", x20, environ)") OneGadget::Gadget.add(build_id, 261820, - constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[[x0]] == NULL || [x0] == NULL"], + constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[[x0]] == NULL || [x0] == NULL || [x0] is a valid envp"], effect: "execve(\"/bin/sh\", x1, [x0])") OneGadget::Gadget.add(build_id, 261824, - constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[x2] == NULL || x2 == NULL"], + constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[x2] == NULL || x2 == NULL || x2 is a valid envp"], effect: "execve(\"/bin/sh\", x1, x2)") diff --git a/lib/one_gadget/builds/libc-2.19-39f403e178f6c4db89f200bae5afd6c55f61e34b.rb b/lib/one_gadget/builds/libc-2.19-39f403e178f6c4db89f200bae5afd6c55f61e34b.rb index f6ded99f..31245b4a 100644 --- a/lib/one_gadget/builds/libc-2.19-39f403e178f6c4db89f200bae5afd6c55f61e34b.rb +++ b/lib/one_gadget/builds/libc-2.19-39f403e178f6c4db89f200bae5afd6c55f61e34b.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255911, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 255918, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255927, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255963, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255967, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409056, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409060, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409066, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409070, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-3bbdc31d826a2bd8af0919d958620342c295c557.rb b/lib/one_gadget/builds/libc-2.19-3bbdc31d826a2bd8af0919d958620342c295c557.rb index 55303afc..6388f801 100644 --- a/lib/one_gadget/builds/libc-2.19-3bbdc31d826a2bd8af0919d958620342c295c557.rb +++ b/lib/one_gadget/builds/libc-2.19-3bbdc31d826a2bd8af0919d958620342c295c557.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266985, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266992, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267076, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765005, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765084, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 880871, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880883, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896192, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-3ea89e2234c5203ef245cd4146b515794079ceac.rb b/lib/one_gadget/builds/libc-2.19-3ea89e2234c5203ef245cd4146b515794079ceac.rb index 9a40bd21..f925a776 100644 --- a/lib/one_gadget/builds/libc-2.19-3ea89e2234c5203ef245cd4146b515794079ceac.rb +++ b/lib/one_gadget/builds/libc-2.19-3ea89e2234c5203ef245cd4146b515794079ceac.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412647, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412651, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412657, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412661, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-3f8df0a32477b9b5c8521116e4d554f4dd784e9c.rb b/lib/one_gadget/builds/libc-2.19-3f8df0a32477b9b5c8521116e4d554f4dd784e9c.rb index 8c7fa9a4..64ce0aca 100644 --- a/lib/one_gadget/builds/libc-2.19-3f8df0a32477b9b5c8521116e4d554f4dd784e9c.rb +++ b/lib/one_gadget/builds/libc-2.19-3f8df0a32477b9b5c8521116e4d554f4dd784e9c.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267897, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267904, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267988, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755149, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755228, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870775, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870787, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885888, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-40410c37ab2b3867bcc1efa841c4bd990bbaced6.rb b/lib/one_gadget/builds/libc-2.19-40410c37ab2b3867bcc1efa841c4bd990bbaced6.rb index ac708c9d..ebea4eb0 100644 --- a/lib/one_gadget/builds/libc-2.19-40410c37ab2b3867bcc1efa841c4bd990bbaced6.rb +++ b/lib/one_gadget/builds/libc-2.19-40410c37ab2b3867bcc1efa841c4bd990bbaced6.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274313, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274320, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274404, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753661, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 753740, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 868944, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 873688, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 873700, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-40443517ebed72833c0cea4364db0346c422be75.rb b/lib/one_gadget/builds/libc-2.19-40443517ebed72833c0cea4364db0346c422be75.rb index 2510e10a..faae6e63 100644 --- a/lib/one_gadget/builds/libc-2.19-40443517ebed72833c0cea4364db0346c422be75.rb +++ b/lib/one_gadget/builds/libc-2.19-40443517ebed72833c0cea4364db0346c422be75.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412615, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412619, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412625, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412629, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-410c538cbb80e04ba67f8f93ead7c915cb8b151e.rb b/lib/one_gadget/builds/libc-2.19-410c538cbb80e04ba67f8f93ead7c915cb8b151e.rb index 177f857b..8f1d68cf 100644 --- a/lib/one_gadget/builds/libc-2.19-410c538cbb80e04ba67f8f93ead7c915cb8b151e.rb +++ b/lib/one_gadget/builds/libc-2.19-410c538cbb80e04ba67f8f93ead7c915cb8b151e.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255467, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255474, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255483, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255519, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255523, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 417007, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 417011, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 417017, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 417021, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-410c5d16e862678b3263a8250ad936b99554050c.rb b/lib/one_gadget/builds/libc-2.19-410c5d16e862678b3263a8250ad936b99554050c.rb index 38a2c04d..837b56b9 100644 --- a/lib/one_gadget/builds/libc-2.19-410c5d16e862678b3263a8250ad936b99554050c.rb +++ b/lib/one_gadget/builds/libc-2.19-410c5d16e862678b3263a8250ad936b99554050c.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254583, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412743, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412747, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412753, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412757, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-42150628cea5ef0a4f7f48267f0d6fd206d7bef4.rb b/lib/one_gadget/builds/libc-2.19-42150628cea5ef0a4f7f48267f0d6fd206d7bef4.rb index f5125e8c..49aae058 100644 --- a/lib/one_gadget/builds/libc-2.19-42150628cea5ef0a4f7f48267f0d6fd206d7bef4.rb +++ b/lib/one_gadget/builds/libc-2.19-42150628cea5ef0a4f7f48267f0d6fd206d7bef4.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414711, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414715, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414721, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414725, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-4315ee2103b2f1797d8d18ef03714dbdc4417095.rb b/lib/one_gadget/builds/libc-2.19-4315ee2103b2f1797d8d18ef03714dbdc4417095.rb index 7b4f1b42..27b36a06 100644 --- a/lib/one_gadget/builds/libc-2.19-4315ee2103b2f1797d8d18ef03714dbdc4417095.rb +++ b/lib/one_gadget/builds/libc-2.19-4315ee2103b2f1797d8d18ef03714dbdc4417095.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454076, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454098, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454102, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454106, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 607155, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 607159, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607165, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607169, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-4360063303905bf941489398b5601c5e2bc6c3a7.rb b/lib/one_gadget/builds/libc-2.19-4360063303905bf941489398b5601c5e2bc6c3a7.rb index 15462144..b5bbe419 100644 --- a/lib/one_gadget/builds/libc-2.19-4360063303905bf941489398b5601c5e2bc6c3a7.rb +++ b/lib/one_gadget/builds/libc-2.19-4360063303905bf941489398b5601c5e2bc6c3a7.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267865, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267872, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267956, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754877, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754956, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870503, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870515, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885520, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-441d0bc3f372750187a7cc29528fca0f2fa4297d.rb b/lib/one_gadget/builds/libc-2.19-441d0bc3f372750187a7cc29528fca0f2fa4297d.rb index 8fc6a84f..acdc14e0 100644 --- a/lib/one_gadget/builds/libc-2.19-441d0bc3f372750187a7cc29528fca0f2fa4297d.rb +++ b/lib/one_gadget/builds/libc-2.19-441d0bc3f372750187a7cc29528fca0f2fa4297d.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606995, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606999, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607005, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607009, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-444c5eaa7cb665ed9b90d3edc47e07c9eeb22c49.rb b/lib/one_gadget/builds/libc-2.19-444c5eaa7cb665ed9b90d3edc47e07c9eeb22c49.rb index 00c08b14..d2354a5e 100644 --- a/lib/one_gadget/builds/libc-2.19-444c5eaa7cb665ed9b90d3edc47e07c9eeb22c49.rb +++ b/lib/one_gadget/builds/libc-2.19-444c5eaa7cb665ed9b90d3edc47e07c9eeb22c49.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412647, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412651, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412657, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412661, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-458c7913f032820ce7610496892f79a4779b0224.rb b/lib/one_gadget/builds/libc-2.19-458c7913f032820ce7610496892f79a4779b0224.rb index a95a811c..e1000b3c 100644 --- a/lib/one_gadget/builds/libc-2.19-458c7913f032820ce7610496892f79a4779b0224.rb +++ b/lib/one_gadget/builds/libc-2.19-458c7913f032820ce7610496892f79a4779b0224.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412775, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412779, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412785, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412789, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-460355a265c134c0c801820ab5e80e37e2cd9b00.rb b/lib/one_gadget/builds/libc-2.19-460355a265c134c0c801820ab5e80e37e2cd9b00.rb index 56900406..7c417525 100644 --- a/lib/one_gadget/builds/libc-2.19-460355a265c134c0c801820ab5e80e37e2cd9b00.rb +++ b/lib/one_gadget/builds/libc-2.19-460355a265c134c0c801820ab5e80e37e2cd9b00.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 460812, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 460834, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 460838, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 460842, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610008, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610012, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610018, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610022, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-47411da31c1af33c897d1646f68d4443c3a156f2.rb b/lib/one_gadget/builds/libc-2.19-47411da31c1af33c897d1646f68d4443c3a156f2.rb index 278defad..d15be753 100644 --- a/lib/one_gadget/builds/libc-2.19-47411da31c1af33c897d1646f68d4443c3a156f2.rb +++ b/lib/one_gadget/builds/libc-2.19-47411da31c1af33c897d1646f68d4443c3a156f2.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266985, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266992, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267076, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765005, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765084, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 880199, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880211, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895520, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-482a813d828d5fe257838e679dff9b7be56bf4fb.rb b/lib/one_gadget/builds/libc-2.19-482a813d828d5fe257838e679dff9b7be56bf4fb.rb index 470b6e44..56e1e0fd 100644 --- a/lib/one_gadget/builds/libc-2.19-482a813d828d5fe257838e679dff9b7be56bf4fb.rb +++ b/lib/one_gadget/builds/libc-2.19-482a813d828d5fe257838e679dff9b7be56bf4fb.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267913, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267920, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 268004, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755165, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755244, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870791, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870803, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885904, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-484428905d6e138e0b88e97107732ace68c12752.rb b/lib/one_gadget/builds/libc-2.19-484428905d6e138e0b88e97107732ace68c12752.rb index 71e28619..bbf86883 100644 --- a/lib/one_gadget/builds/libc-2.19-484428905d6e138e0b88e97107732ace68c12752.rb +++ b/lib/one_gadget/builds/libc-2.19-484428905d6e138e0b88e97107732ace68c12752.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606899, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606903, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 606909, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 606913, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-4866fc3ad424dfb788e9ad11039b7759f3b51574.rb b/lib/one_gadget/builds/libc-2.19-4866fc3ad424dfb788e9ad11039b7759f3b51574.rb index 81771210..594e8c9a 100644 --- a/lib/one_gadget/builds/libc-2.19-4866fc3ad424dfb788e9ad11039b7759f3b51574.rb +++ b/lib/one_gadget/builds/libc-2.19-4866fc3ad424dfb788e9ad11039b7759f3b51574.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266937, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266944, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267028, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754125, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754204, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 869735, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 869747, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 884848, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-48b333aa64a86c31334714305379a6c1f1701c69.rb b/lib/one_gadget/builds/libc-2.19-48b333aa64a86c31334714305379a6c1f1701c69.rb index 4b0cdf5a..7e068d06 100644 --- a/lib/one_gadget/builds/libc-2.19-48b333aa64a86c31334714305379a6c1f1701c69.rb +++ b/lib/one_gadget/builds/libc-2.19-48b333aa64a86c31334714305379a6c1f1701c69.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606899, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606903, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 606909, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 606913, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-49f3ac15a25f78f0258283b3a207017e51ced583.rb b/lib/one_gadget/builds/libc-2.19-49f3ac15a25f78f0258283b3a207017e51ced583.rb index 435a93ca..f34d9162 100644 --- a/lib/one_gadget/builds/libc-2.19-49f3ac15a25f78f0258283b3a207017e51ced583.rb +++ b/lib/one_gadget/builds/libc-2.19-49f3ac15a25f78f0258283b3a207017e51ced583.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406400, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406404, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406410, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406414, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-4a384b8c751de6c0e2652261310104bf1b2127d5.rb b/lib/one_gadget/builds/libc-2.19-4a384b8c751de6c0e2652261310104bf1b2127d5.rb index ff90d487..d6df1fcb 100644 --- a/lib/one_gadget/builds/libc-2.19-4a384b8c751de6c0e2652261310104bf1b2127d5.rb +++ b/lib/one_gadget/builds/libc-2.19-4a384b8c751de6c0e2652261310104bf1b2127d5.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254295, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254302, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254311, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254347, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254351, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414559, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414563, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414569, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414573, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-4a5eeadb796e6dba8f289a90de2b53e71c8e8788.rb b/lib/one_gadget/builds/libc-2.19-4a5eeadb796e6dba8f289a90de2b53e71c8e8788.rb index 1934a099..2cf9f358 100644 --- a/lib/one_gadget/builds/libc-2.19-4a5eeadb796e6dba8f289a90de2b53e71c8e8788.rb +++ b/lib/one_gadget/builds/libc-2.19-4a5eeadb796e6dba8f289a90de2b53e71c8e8788.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248583, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408560, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408564, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408570, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408574, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-4daad26169c5c868b8ae90587fff76cc28e7b309.rb b/lib/one_gadget/builds/libc-2.19-4daad26169c5c868b8ae90587fff76cc28e7b309.rb index 96a7ced7..b5292d38 100644 --- a/lib/one_gadget/builds/libc-2.19-4daad26169c5c868b8ae90587fff76cc28e7b309.rb +++ b/lib/one_gadget/builds/libc-2.19-4daad26169c5c868b8ae90587fff76cc28e7b309.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255911, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 255918, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255927, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255963, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255967, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409024, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409028, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409034, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409038, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-4e304f78f3cfb52dd521bd6fd8ae7a0c7400104e.rb b/lib/one_gadget/builds/libc-2.19-4e304f78f3cfb52dd521bd6fd8ae7a0c7400104e.rb index 83f66983..a41a7272 100644 --- a/lib/one_gadget/builds/libc-2.19-4e304f78f3cfb52dd521bd6fd8ae7a0c7400104e.rb +++ b/lib/one_gadget/builds/libc-2.19-4e304f78f3cfb52dd521bd6fd8ae7a0c7400104e.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254583, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412711, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412715, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412721, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412725, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-4e9b0243eb28ea1a14539448a5317d6215fa13fa.rb b/lib/one_gadget/builds/libc-2.19-4e9b0243eb28ea1a14539448a5317d6215fa13fa.rb index cd4a00b6..9feb7be6 100644 --- a/lib/one_gadget/builds/libc-2.19-4e9b0243eb28ea1a14539448a5317d6215fa13fa.rb +++ b/lib/one_gadget/builds/libc-2.19-4e9b0243eb28ea1a14539448a5317d6215fa13fa.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406432, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406436, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406442, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406446, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-4eda8ff01be3fba1c7bdd442a8690c3dc7397b6a.rb b/lib/one_gadget/builds/libc-2.19-4eda8ff01be3fba1c7bdd442a8690c3dc7397b6a.rb index 6753d254..7e846589 100644 --- a/lib/one_gadget/builds/libc-2.19-4eda8ff01be3fba1c7bdd442a8690c3dc7397b6a.rb +++ b/lib/one_gadget/builds/libc-2.19-4eda8ff01be3fba1c7bdd442a8690c3dc7397b6a.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274185, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274192, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274276, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 764189, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 764268, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 878784, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 883528, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 883540, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-4f953c59dca85d439af86c6564c9fdb07cccafd5.rb b/lib/one_gadget/builds/libc-2.19-4f953c59dca85d439af86c6564c9fdb07cccafd5.rb index 5691ad62..d17d955e 100644 --- a/lib/one_gadget/builds/libc-2.19-4f953c59dca85d439af86c6564c9fdb07cccafd5.rb +++ b/lib/one_gadget/builds/libc-2.19-4f953c59dca85d439af86c6564c9fdb07cccafd5.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412615, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412619, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412625, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412629, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-509ee0c9616c4c3ed81951501a8950e1f529bbff.rb b/lib/one_gadget/builds/libc-2.19-509ee0c9616c4c3ed81951501a8950e1f529bbff.rb index e990ad59..bd37967e 100644 --- a/lib/one_gadget/builds/libc-2.19-509ee0c9616c4c3ed81951501a8950e1f529bbff.rb +++ b/lib/one_gadget/builds/libc-2.19-509ee0c9616c4c3ed81951501a8950e1f529bbff.rb @@ -20,19 +20,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261528, + constraints: ["writable: x21+0x2d8", "{\"sh\", \"-c\", x22, x1, ...} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 261532, - constraints: ["writable: x21+0x2d8", "x3+0x6c0 == NULL"], + constraints: ["writable: x21+0x2d8", "x3+0x6c0 == NULL || {x3+0x6c0, \"-c\", x22, x1, ...} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 261540, - constraints: ["writable: x20", "writable: x21+0x2d8", "[x20] == NULL || x20 == NULL"], + constraints: ["writable: x20", "writable: x21+0x2d8", "[x20] == NULL || x20 == NULL || x20 is a valid argv"], effect: "execve(\"/bin/sh\", x20, environ)") OneGadget::Gadget.add(build_id, 261616, - constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x20] == NULL || x20 == NULL"], + constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x20] == NULL || x20 == NULL || x20 is a valid argv"], effect: "execve(\"/bin/sh\", x20, environ)") OneGadget::Gadget.add(build_id, 261628, - constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[[x0]] == NULL || [x0] == NULL"], + constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[[x0]] == NULL || [x0] == NULL || [x0] is a valid envp"], effect: "execve(\"/bin/sh\", x1, [x0])") OneGadget::Gadget.add(build_id, 261632, - constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[x2] == NULL || x2 == NULL"], + constraints: ["writable: x21+0x2d8", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[x2] == NULL || x2 == NULL || x2 is a valid envp"], effect: "execve(\"/bin/sh\", x1, x2)") diff --git a/lib/one_gadget/builds/libc-2.19-50c2ed4707152ba59bfacfd4e1fabc3b28ddc140.rb b/lib/one_gadget/builds/libc-2.19-50c2ed4707152ba59bfacfd4e1fabc3b28ddc140.rb index 0bf6bbe9..06c5d462 100644 --- a/lib/one_gadget/builds/libc-2.19-50c2ed4707152ba59bfacfd4e1fabc3b28ddc140.rb +++ b/lib/one_gadget/builds/libc-2.19-50c2ed4707152ba59bfacfd4e1fabc3b28ddc140.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261647, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261654, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261663, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261699, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261703, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414887, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414891, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414897, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414901, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-50e2c3560712d3d9f7af3d155cdeb69687045dd2.rb b/lib/one_gadget/builds/libc-2.19-50e2c3560712d3d9f7af3d155cdeb69687045dd2.rb index 2ef707d7..8fdf226f 100644 --- a/lib/one_gadget/builds/libc-2.19-50e2c3560712d3d9f7af3d155cdeb69687045dd2.rb +++ b/lib/one_gadget/builds/libc-2.19-50e2c3560712d3d9f7af3d155cdeb69687045dd2.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754717, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754796, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870583, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870595, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885904, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-512993e1c66001e0ad11feea73ddfc22f9c0767b.rb b/lib/one_gadget/builds/libc-2.19-512993e1c66001e0ad11feea73ddfc22f9c0767b.rb index dfd065e5..8215e7f5 100644 --- a/lib/one_gadget/builds/libc-2.19-512993e1c66001e0ad11feea73ddfc22f9c0767b.rb +++ b/lib/one_gadget/builds/libc-2.19-512993e1c66001e0ad11feea73ddfc22f9c0767b.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412743, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412747, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412753, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412757, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-515cd2920490d13129bbad0514c7c7c7e67c18bc.rb b/lib/one_gadget/builds/libc-2.19-515cd2920490d13129bbad0514c7c7c7e67c18bc.rb index 99a7bcbc..1e012d13 100644 --- a/lib/one_gadget/builds/libc-2.19-515cd2920490d13129bbad0514c7c7c7e67c18bc.rb +++ b/lib/one_gadget/builds/libc-2.19-515cd2920490d13129bbad0514c7c7c7e67c18bc.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255911, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 255918, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255927, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255963, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255967, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409024, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409028, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409034, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409038, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-51a7763b217be74d9da6fd006c32f82ef82477b5.rb b/lib/one_gadget/builds/libc-2.19-51a7763b217be74d9da6fd006c32f82ef82477b5.rb index 2ae1b9e1..b6bfe1da 100644 --- a/lib/one_gadget/builds/libc-2.19-51a7763b217be74d9da6fd006c32f82ef82477b5.rb +++ b/lib/one_gadget/builds/libc-2.19-51a7763b217be74d9da6fd006c32f82ef82477b5.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 607171, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 607175, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607181, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607185, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5382058b69031caa9b9996c11061cd164c9398ff.rb b/lib/one_gadget/builds/libc-2.19-5382058b69031caa9b9996c11061cd164c9398ff.rb index 8a52f33e..4cbea956 100644 --- a/lib/one_gadget/builds/libc-2.19-5382058b69031caa9b9996c11061cd164c9398ff.rb +++ b/lib/one_gadget/builds/libc-2.19-5382058b69031caa9b9996c11061cd164c9398ff.rb @@ -20,28 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 287953, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287960, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 288044, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 793843, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 793922, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 936648, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])") OneGadget::Gadget.add(build_id, 940229, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 940241, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 944157, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.19-5455f3eafe22e7a085c3568bebc324a2ade811ea.rb b/lib/one_gadget/builds/libc-2.19-5455f3eafe22e7a085c3568bebc324a2ade811ea.rb index df0112b9..c63aa295 100644 --- a/lib/one_gadget/builds/libc-2.19-5455f3eafe22e7a085c3568bebc324a2ade811ea.rb +++ b/lib/one_gadget/builds/libc-2.19-5455f3eafe22e7a085c3568bebc324a2ade811ea.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248583, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408528, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408532, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408538, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408542, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-54b97c45aa9ce58ba4dea4eda316f49927e51cff.rb b/lib/one_gadget/builds/libc-2.19-54b97c45aa9ce58ba4dea4eda316f49927e51cff.rb index 7e41a088..0a390e14 100644 --- a/lib/one_gadget/builds/libc-2.19-54b97c45aa9ce58ba4dea4eda316f49927e51cff.rb +++ b/lib/one_gadget/builds/libc-2.19-54b97c45aa9ce58ba4dea4eda316f49927e51cff.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254967, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254974, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254983, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255019, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255023, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415175, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415179, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415185, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415189, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-54fe99efd891702e87da514403a2d3d8cae8032b.rb b/lib/one_gadget/builds/libc-2.19-54fe99efd891702e87da514403a2d3d8cae8032b.rb index 50d02eb2..5de7fbca 100644 --- a/lib/one_gadget/builds/libc-2.19-54fe99efd891702e87da514403a2d3d8cae8032b.rb +++ b/lib/one_gadget/builds/libc-2.19-54fe99efd891702e87da514403a2d3d8cae8032b.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408800, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408804, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408810, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408814, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5537ab284321fdc6efd07276d6e4c524014bf069.rb b/lib/one_gadget/builds/libc-2.19-5537ab284321fdc6efd07276d6e4c524014bf069.rb index 4ce01bd1..da3d8527 100644 --- a/lib/one_gadget/builds/libc-2.19-5537ab284321fdc6efd07276d6e4c524014bf069.rb +++ b/lib/one_gadget/builds/libc-2.19-5537ab284321fdc6efd07276d6e4c524014bf069.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254311, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254318, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254327, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254363, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254367, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414519, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414523, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414529, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414533, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-55e62f166b419389a0de90ceab52c337946ba643.rb b/lib/one_gadget/builds/libc-2.19-55e62f166b419389a0de90ceab52c337946ba643.rb index 8c992d04..84340928 100644 --- a/lib/one_gadget/builds/libc-2.19-55e62f166b419389a0de90ceab52c337946ba643.rb +++ b/lib/one_gadget/builds/libc-2.19-55e62f166b419389a0de90ceab52c337946ba643.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414711, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414715, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414721, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414725, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-56338f83f1b656ee4395a8d3bddf810725151e91.rb b/lib/one_gadget/builds/libc-2.19-56338f83f1b656ee4395a8d3bddf810725151e91.rb index 77d7d90d..2a09e68c 100644 --- a/lib/one_gadget/builds/libc-2.19-56338f83f1b656ee4395a8d3bddf810725151e91.rb +++ b/lib/one_gadget/builds/libc-2.19-56338f83f1b656ee4395a8d3bddf810725151e91.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248407, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248414, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248423, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248459, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248463, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406208, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406212, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406218, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406222, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-58915015546da78c4116e45480be238bac4c59a7.rb b/lib/one_gadget/builds/libc-2.19-58915015546da78c4116e45480be238bac4c59a7.rb index 0e454d81..67a92cf7 100644 --- a/lib/one_gadget/builds/libc-2.19-58915015546da78c4116e45480be238bac4c59a7.rb +++ b/lib/one_gadget/builds/libc-2.19-58915015546da78c4116e45480be238bac4c59a7.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609347, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609351, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609357, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609361, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-58cabb8c6f68b05a1c1c9a707a43f22c3a55a3e9.rb b/lib/one_gadget/builds/libc-2.19-58cabb8c6f68b05a1c1c9a707a43f22c3a55a3e9.rb index ee31977b..da48bfc6 100644 --- a/lib/one_gadget/builds/libc-2.19-58cabb8c6f68b05a1c1c9a707a43f22c3a55a3e9.rb +++ b/lib/one_gadget/builds/libc-2.19-58cabb8c6f68b05a1c1c9a707a43f22c3a55a3e9.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606707, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606711, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 606717, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 606721, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5962ff0ec39da4ea3c572535d1da0c0d3b10cfe9.rb b/lib/one_gadget/builds/libc-2.19-5962ff0ec39da4ea3c572535d1da0c0d3b10cfe9.rb index 6ffcd954..b56dfffe 100644 --- a/lib/one_gadget/builds/libc-2.19-5962ff0ec39da4ea3c572535d1da0c0d3b10cfe9.rb +++ b/lib/one_gadget/builds/libc-2.19-5962ff0ec39da4ea3c572535d1da0c0d3b10cfe9.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 608835, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 608839, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 608845, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 608849, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5a49bf8def435ac3fe9208df3c6b5622fe347a97.rb b/lib/one_gadget/builds/libc-2.19-5a49bf8def435ac3fe9208df3c6b5622fe347a97.rb index b20d87e4..336270c1 100644 --- a/lib/one_gadget/builds/libc-2.19-5a49bf8def435ac3fe9208df3c6b5622fe347a97.rb +++ b/lib/one_gadget/builds/libc-2.19-5a49bf8def435ac3fe9208df3c6b5622fe347a97.rb @@ -20,28 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 287777, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287784, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287868, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 809715, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 809794, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 951832, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])") OneGadget::Gadget.add(build_id, 955413, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 955425, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 959341, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.19-5a49ee56df5b5ab48a6f5607bb46a0b92a3d1c34.rb b/lib/one_gadget/builds/libc-2.19-5a49ee56df5b5ab48a6f5607bb46a0b92a3d1c34.rb index 923f1069..c696d976 100644 --- a/lib/one_gadget/builds/libc-2.19-5a49ee56df5b5ab48a6f5607bb46a0b92a3d1c34.rb +++ b/lib/one_gadget/builds/libc-2.19-5a49ee56df5b5ab48a6f5607bb46a0b92a3d1c34.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262563, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 262570, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262579, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262615, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 262619, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415381, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415385, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415391, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415395, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5a7a0413044f37bc4096c7bc4c33d1ea6880d856.rb b/lib/one_gadget/builds/libc-2.19-5a7a0413044f37bc4096c7bc4c33d1ea6880d856.rb index 51fb62f7..b2554d6c 100644 --- a/lib/one_gadget/builds/libc-2.19-5a7a0413044f37bc4096c7bc4c33d1ea6880d856.rb +++ b/lib/one_gadget/builds/libc-2.19-5a7a0413044f37bc4096c7bc4c33d1ea6880d856.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754733, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754812, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870615, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870627, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885936, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-5a968877a4a31019701f53ed38130c1313a5e0ad.rb b/lib/one_gadget/builds/libc-2.19-5a968877a4a31019701f53ed38130c1313a5e0ad.rb index fe6d2fc3..f7af776c 100644 --- a/lib/one_gadget/builds/libc-2.19-5a968877a4a31019701f53ed38130c1313a5e0ad.rb +++ b/lib/one_gadget/builds/libc-2.19-5a968877a4a31019701f53ed38130c1313a5e0ad.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255467, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255474, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255483, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255519, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255523, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 417007, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 417011, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 417017, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 417021, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5ab6a00d805f696b8aa6d0d2ee29d511b41499d1.rb b/lib/one_gadget/builds/libc-2.19-5ab6a00d805f696b8aa6d0d2ee29d511b41499d1.rb index 188070e5..69a2153d 100644 --- a/lib/one_gadget/builds/libc-2.19-5ab6a00d805f696b8aa6d0d2ee29d511b41499d1.rb +++ b/lib/one_gadget/builds/libc-2.19-5ab6a00d805f696b8aa6d0d2ee29d511b41499d1.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412775, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412779, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412785, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412789, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5b344bb54cc929c6849371987107f587bd9e0d48.rb b/lib/one_gadget/builds/libc-2.19-5b344bb54cc929c6849371987107f587bd9e0d48.rb index 718f2b31..04f14f4f 100644 --- a/lib/one_gadget/builds/libc-2.19-5b344bb54cc929c6849371987107f587bd9e0d48.rb +++ b/lib/one_gadget/builds/libc-2.19-5b344bb54cc929c6849371987107f587bd9e0d48.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754717, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754796, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870583, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870595, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885904, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-5b60e04aabbebdb248f5c03dad0ca1a9fab8be5f.rb b/lib/one_gadget/builds/libc-2.19-5b60e04aabbebdb248f5c03dad0ca1a9fab8be5f.rb index f2786c0b..67d404ce 100644 --- a/lib/one_gadget/builds/libc-2.19-5b60e04aabbebdb248f5c03dad0ca1a9fab8be5f.rb +++ b/lib/one_gadget/builds/libc-2.19-5b60e04aabbebdb248f5c03dad0ca1a9fab8be5f.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249239, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249246, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249255, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249291, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249295, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409216, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409220, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409226, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409230, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5ba8f97e1beb7f068474d473e2db786c07df8561.rb b/lib/one_gadget/builds/libc-2.19-5ba8f97e1beb7f068474d473e2db786c07df8561.rb index 75d05f0e..ac23d681 100644 --- a/lib/one_gadget/builds/libc-2.19-5ba8f97e1beb7f068474d473e2db786c07df8561.rb +++ b/lib/one_gadget/builds/libc-2.19-5ba8f97e1beb7f068474d473e2db786c07df8561.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415095, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415099, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415105, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415109, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5c02e6b0e80785f5944265c698dc811862018d21.rb b/lib/one_gadget/builds/libc-2.19-5c02e6b0e80785f5944265c698dc811862018d21.rb index da7fcfad..dc7b3197 100644 --- a/lib/one_gadget/builds/libc-2.19-5c02e6b0e80785f5944265c698dc811862018d21.rb +++ b/lib/one_gadget/builds/libc-2.19-5c02e6b0e80785f5944265c698dc811862018d21.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249239, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249246, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249255, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249291, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249295, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409248, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409252, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409258, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409262, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5c14523f13f0fb9be3366f446e9e48165373ddf8.rb b/lib/one_gadget/builds/libc-2.19-5c14523f13f0fb9be3366f446e9e48165373ddf8.rb index f3039758..165775e5 100644 --- a/lib/one_gadget/builds/libc-2.19-5c14523f13f0fb9be3366f446e9e48165373ddf8.rb +++ b/lib/one_gadget/builds/libc-2.19-5c14523f13f0fb9be3366f446e9e48165373ddf8.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452812, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452834, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452838, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452842, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609283, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609287, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609293, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609297, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-5e1e27a45fbd02cfa9a95bf657fc4aa53af75421.rb b/lib/one_gadget/builds/libc-2.19-5e1e27a45fbd02cfa9a95bf657fc4aa53af75421.rb index d3e84286..d56816e3 100644 --- a/lib/one_gadget/builds/libc-2.19-5e1e27a45fbd02cfa9a95bf657fc4aa53af75421.rb +++ b/lib/one_gadget/builds/libc-2.19-5e1e27a45fbd02cfa9a95bf657fc4aa53af75421.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754717, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754796, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870583, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870595, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885904, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-605a6d751871d12a83e34359ff4d73c895d6f4ce.rb b/lib/one_gadget/builds/libc-2.19-605a6d751871d12a83e34359ff4d73c895d6f4ce.rb index 0643a6e8..732884a1 100644 --- a/lib/one_gadget/builds/libc-2.19-605a6d751871d12a83e34359ff4d73c895d6f4ce.rb +++ b/lib/one_gadget/builds/libc-2.19-605a6d751871d12a83e34359ff4d73c895d6f4ce.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261639, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261646, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261655, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261691, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261695, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415015, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415019, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415025, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415029, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-60b315c3b5a4b7e4bf699cf79a137d19a9a13d89.rb b/lib/one_gadget/builds/libc-2.19-60b315c3b5a4b7e4bf699cf79a137d19a9a13d89.rb index 0ed4b83e..3d118d80 100644 --- a/lib/one_gadget/builds/libc-2.19-60b315c3b5a4b7e4bf699cf79a137d19a9a13d89.rb +++ b/lib/one_gadget/builds/libc-2.19-60b315c3b5a4b7e4bf699cf79a137d19a9a13d89.rb @@ -21,22 +21,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 242675, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 242677, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 242681, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 242688, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 242723, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 242724, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 412260, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.19-60c7d280d7c8af6758a3a951524487641f349460.rb b/lib/one_gadget/builds/libc-2.19-60c7d280d7c8af6758a3a951524487641f349460.rb index 1f33a55d..a2772c3e 100644 --- a/lib/one_gadget/builds/libc-2.19-60c7d280d7c8af6758a3a951524487641f349460.rb +++ b/lib/one_gadget/builds/libc-2.19-60c7d280d7c8af6758a3a951524487641f349460.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262731, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 262738, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262747, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262783, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 262787, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 417861, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 417865, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 417871, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 417875, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-61eeda0c442c32c20f93008acbc978e28cca956d.rb b/lib/one_gadget/builds/libc-2.19-61eeda0c442c32c20f93008acbc978e28cca956d.rb index 1ab0e797..e5b3fbbc 100644 --- a/lib/one_gadget/builds/libc-2.19-61eeda0c442c32c20f93008acbc978e28cca956d.rb +++ b/lib/one_gadget/builds/libc-2.19-61eeda0c442c32c20f93008acbc978e28cca956d.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454076, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454098, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454102, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454106, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609331, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609335, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609341, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609345, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-63b04eb27336fd6c68f7bd8ba76ccbcc8df1b46c.rb b/lib/one_gadget/builds/libc-2.19-63b04eb27336fd6c68f7bd8ba76ccbcc8df1b46c.rb index e211beda..6b6dfb82 100644 --- a/lib/one_gadget/builds/libc-2.19-63b04eb27336fd6c68f7bd8ba76ccbcc8df1b46c.rb +++ b/lib/one_gadget/builds/libc-2.19-63b04eb27336fd6c68f7bd8ba76ccbcc8df1b46c.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248407, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248414, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248423, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248459, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248463, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406208, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406212, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406218, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406222, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-6573062b2d3648b5970f82fbd63cd154c9d84661.rb b/lib/one_gadget/builds/libc-2.19-6573062b2d3648b5970f82fbd63cd154c9d84661.rb index ca987da5..ceecc95e 100644 --- a/lib/one_gadget/builds/libc-2.19-6573062b2d3648b5970f82fbd63cd154c9d84661.rb +++ b/lib/one_gadget/builds/libc-2.19-6573062b2d3648b5970f82fbd63cd154c9d84661.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406432, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406436, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406442, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406446, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-6573e7dbcbb6179989e2308746f65b95c4117485.rb b/lib/one_gadget/builds/libc-2.19-6573e7dbcbb6179989e2308746f65b95c4117485.rb index baf98d86..8e375229 100644 --- a/lib/one_gadget/builds/libc-2.19-6573e7dbcbb6179989e2308746f65b95c4117485.rb +++ b/lib/one_gadget/builds/libc-2.19-6573e7dbcbb6179989e2308746f65b95c4117485.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606899, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606903, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 606909, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 606913, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-6850f318041a1a5a202ab0512dda55e80ff19ec8.rb b/lib/one_gadget/builds/libc-2.19-6850f318041a1a5a202ab0512dda55e80ff19ec8.rb index f7eb518b..d4088ed3 100644 --- a/lib/one_gadget/builds/libc-2.19-6850f318041a1a5a202ab0512dda55e80ff19ec8.rb +++ b/lib/one_gadget/builds/libc-2.19-6850f318041a1a5a202ab0512dda55e80ff19ec8.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 453772, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 453794, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 453798, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 453802, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609027, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609031, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609037, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609041, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-68977b6661c8b646d7d88e32d81916937e346001.rb b/lib/one_gadget/builds/libc-2.19-68977b6661c8b646d7d88e32d81916937e346001.rb index 3eed4604..6d6337d9 100644 --- a/lib/one_gadget/builds/libc-2.19-68977b6661c8b646d7d88e32d81916937e346001.rb +++ b/lib/one_gadget/builds/libc-2.19-68977b6661c8b646d7d88e32d81916937e346001.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 453596, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 453618, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 453622, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 453626, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610147, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610151, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610157, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610161, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-69673214041206e0eee5b9b5b47fd12d733127e1.rb b/lib/one_gadget/builds/libc-2.19-69673214041206e0eee5b9b5b47fd12d733127e1.rb index 31e41419..306fd308 100644 --- a/lib/one_gadget/builds/libc-2.19-69673214041206e0eee5b9b5b47fd12d733127e1.rb +++ b/lib/one_gadget/builds/libc-2.19-69673214041206e0eee5b9b5b47fd12d733127e1.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262555, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262562, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262646, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 701405, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 701484, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 823359, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 823371, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 838688, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-6a6d6625087a1de6139a620795ef8b2360a06592.rb b/lib/one_gadget/builds/libc-2.19-6a6d6625087a1de6139a620795ef8b2360a06592.rb index dd018530..51d96f89 100644 --- a/lib/one_gadget/builds/libc-2.19-6a6d6625087a1de6139a620795ef8b2360a06592.rb +++ b/lib/one_gadget/builds/libc-2.19-6a6d6625087a1de6139a620795ef8b2360a06592.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454076, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454098, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454102, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454106, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609331, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609335, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609341, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609345, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-6abcb030391dbadd0fda38c3975ad6dcfe7fe20c.rb b/lib/one_gadget/builds/libc-2.19-6abcb030391dbadd0fda38c3975ad6dcfe7fe20c.rb index 69b6a49d..f42029a3 100644 --- a/lib/one_gadget/builds/libc-2.19-6abcb030391dbadd0fda38c3975ad6dcfe7fe20c.rb +++ b/lib/one_gadget/builds/libc-2.19-6abcb030391dbadd0fda38c3975ad6dcfe7fe20c.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255911, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 255918, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255927, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255963, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255967, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409056, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409060, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409066, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409070, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-6aff6d091954955fe931bb720a17708513aabda7.rb b/lib/one_gadget/builds/libc-2.19-6aff6d091954955fe931bb720a17708513aabda7.rb index 8163f527..12277fc4 100644 --- a/lib/one_gadget/builds/libc-2.19-6aff6d091954955fe931bb720a17708513aabda7.rb +++ b/lib/one_gadget/builds/libc-2.19-6aff6d091954955fe931bb720a17708513aabda7.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261399, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261406, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261415, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261451, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261455, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412768, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412772, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412778, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412782, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-6b536aa43eabd040e5117034f582d1c0374980cd.rb b/lib/one_gadget/builds/libc-2.19-6b536aa43eabd040e5117034f582d1c0374980cd.rb index ffb8df85..f37c6662 100644 --- a/lib/one_gadget/builds/libc-2.19-6b536aa43eabd040e5117034f582d1c0374980cd.rb +++ b/lib/one_gadget/builds/libc-2.19-6b536aa43eabd040e5117034f582d1c0374980cd.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261639, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261646, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261655, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261691, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261695, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414983, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414987, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414993, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414997, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-6d7e55c204d097c75f6b89717876c17f0dc1779a.rb b/lib/one_gadget/builds/libc-2.19-6d7e55c204d097c75f6b89717876c17f0dc1779a.rb index 0e2e79c4..477b16eb 100644 --- a/lib/one_gadget/builds/libc-2.19-6d7e55c204d097c75f6b89717876c17f0dc1779a.rb +++ b/lib/one_gadget/builds/libc-2.19-6d7e55c204d097c75f6b89717876c17f0dc1779a.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606899, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606903, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 606909, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 606913, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-6d8d0b8321b58b20d824cfa9d68d66769caa9b42.rb b/lib/one_gadget/builds/libc-2.19-6d8d0b8321b58b20d824cfa9d68d66769caa9b42.rb index 6df1a020..e59f4bd9 100644 --- a/lib/one_gadget/builds/libc-2.19-6d8d0b8321b58b20d824cfa9d68d66769caa9b42.rb +++ b/lib/one_gadget/builds/libc-2.19-6d8d0b8321b58b20d824cfa9d68d66769caa9b42.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255271, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255278, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255287, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255323, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255327, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415479, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415483, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415489, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415493, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-6ee0f980c1c75935d8802d0ea84e0a9f09874c51.rb b/lib/one_gadget/builds/libc-2.19-6ee0f980c1c75935d8802d0ea84e0a9f09874c51.rb index 2ee36b8b..925186c9 100644 --- a/lib/one_gadget/builds/libc-2.19-6ee0f980c1c75935d8802d0ea84e0a9f09874c51.rb +++ b/lib/one_gadget/builds/libc-2.19-6ee0f980c1c75935d8802d0ea84e0a9f09874c51.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274313, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274320, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274404, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753661, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 753740, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 868944, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 873688, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 873700, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-700e2a19dfcc8e20b41145039b6c823123676696.rb b/lib/one_gadget/builds/libc-2.19-700e2a19dfcc8e20b41145039b6c823123676696.rb index 112393ac..bdb021fc 100644 --- a/lib/one_gadget/builds/libc-2.19-700e2a19dfcc8e20b41145039b6c823123676696.rb +++ b/lib/one_gadget/builds/libc-2.19-700e2a19dfcc8e20b41145039b6c823123676696.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 453596, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 453618, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 453622, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 453626, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610147, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610151, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610157, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610161, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-705f27d45e46aeda2619beb62fc804d1c2fbe26c.rb b/lib/one_gadget/builds/libc-2.19-705f27d45e46aeda2619beb62fc804d1c2fbe26c.rb index 8d17f8ff..5833ec05 100644 --- a/lib/one_gadget/builds/libc-2.19-705f27d45e46aeda2619beb62fc804d1c2fbe26c.rb +++ b/lib/one_gadget/builds/libc-2.19-705f27d45e46aeda2619beb62fc804d1c2fbe26c.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412743, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412747, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412753, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412757, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-707bc133809b86abab918bb8a8fc7791fe916765.rb b/lib/one_gadget/builds/libc-2.19-707bc133809b86abab918bb8a8fc7791fe916765.rb index aa97cf8f..edb60399 100644 --- a/lib/one_gadget/builds/libc-2.19-707bc133809b86abab918bb8a8fc7791fe916765.rb +++ b/lib/one_gadget/builds/libc-2.19-707bc133809b86abab918bb8a8fc7791fe916765.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 256267, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 256274, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 256283, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 256319, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 256323, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 420079, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 420083, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 420089, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 420093, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-74a3b58450e957c04e2cca3619695cb3d73bb68e.rb b/lib/one_gadget/builds/libc-2.19-74a3b58450e957c04e2cca3619695cb3d73bb68e.rb index dad43a93..16b624c3 100644 --- a/lib/one_gadget/builds/libc-2.19-74a3b58450e957c04e2cca3619695cb3d73bb68e.rb +++ b/lib/one_gadget/builds/libc-2.19-74a3b58450e957c04e2cca3619695cb3d73bb68e.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415063, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415067, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415073, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415077, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-74bf136a60dee4fe2f7ca0d9b40fbdd6b0115496.rb b/lib/one_gadget/builds/libc-2.19-74bf136a60dee4fe2f7ca0d9b40fbdd6b0115496.rb index 26bf62ef..322a2c14 100644 --- a/lib/one_gadget/builds/libc-2.19-74bf136a60dee4fe2f7ca0d9b40fbdd6b0115496.rb +++ b/lib/one_gadget/builds/libc-2.19-74bf136a60dee4fe2f7ca0d9b40fbdd6b0115496.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609411, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609415, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609421, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609425, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-7553121919b4b6bb1d86f8b1eb8eb152e6fb1218.rb b/lib/one_gadget/builds/libc-2.19-7553121919b4b6bb1d86f8b1eb8eb152e6fb1218.rb index 324ad2ff..86f8816d 100644 --- a/lib/one_gadget/builds/libc-2.19-7553121919b4b6bb1d86f8b1eb8eb152e6fb1218.rb +++ b/lib/one_gadget/builds/libc-2.19-7553121919b4b6bb1d86f8b1eb8eb152e6fb1218.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266985, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266992, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267076, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765005, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765084, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 880199, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880211, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895520, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-77063a4c59e02c182d5afae288f450c7cdf5b6da.rb b/lib/one_gadget/builds/libc-2.19-77063a4c59e02c182d5afae288f450c7cdf5b6da.rb index ccf75bdb..d5543137 100644 --- a/lib/one_gadget/builds/libc-2.19-77063a4c59e02c182d5afae288f450c7cdf5b6da.rb +++ b/lib/one_gadget/builds/libc-2.19-77063a4c59e02c182d5afae288f450c7cdf5b6da.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248791, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248798, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248807, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248843, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248847, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409376, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409380, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409386, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409390, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-77504f0405a2d81d64310f262ac559cdc8375b04.rb b/lib/one_gadget/builds/libc-2.19-77504f0405a2d81d64310f262ac559cdc8375b04.rb index e2309424..25cb1a88 100644 --- a/lib/one_gadget/builds/libc-2.19-77504f0405a2d81d64310f262ac559cdc8375b04.rb +++ b/lib/one_gadget/builds/libc-2.19-77504f0405a2d81d64310f262ac559cdc8375b04.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266937, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266944, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267028, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754125, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754204, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 869735, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 869747, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 884848, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-77bcde9cd55f5ca93684b46705e0851585b94019.rb b/lib/one_gadget/builds/libc-2.19-77bcde9cd55f5ca93684b46705e0851585b94019.rb index 2c8fc633..9b048439 100644 --- a/lib/one_gadget/builds/libc-2.19-77bcde9cd55f5ca93684b46705e0851585b94019.rb +++ b/lib/one_gadget/builds/libc-2.19-77bcde9cd55f5ca93684b46705e0851585b94019.rb @@ -20,28 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 287873, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287880, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287964, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 793875, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 793954, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 936680, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])") OneGadget::Gadget.add(build_id, 940261, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 940273, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 944189, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.19-78c0362905c145cfc28aa2ff409962f3c8b2cb6b.rb b/lib/one_gadget/builds/libc-2.19-78c0362905c145cfc28aa2ff409962f3c8b2cb6b.rb index 7302666a..ccc4534c 100644 --- a/lib/one_gadget/builds/libc-2.19-78c0362905c145cfc28aa2ff409962f3c8b2cb6b.rb +++ b/lib/one_gadget/builds/libc-2.19-78c0362905c145cfc28aa2ff409962f3c8b2cb6b.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254439, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254446, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254455, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254491, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254495, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412463, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412467, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412473, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412477, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-7a7914eec99efd40990d0b1978a01caf46612636.rb b/lib/one_gadget/builds/libc-2.19-7a7914eec99efd40990d0b1978a01caf46612636.rb index c0647afa..335228ad 100644 --- a/lib/one_gadget/builds/libc-2.19-7a7914eec99efd40990d0b1978a01caf46612636.rb +++ b/lib/one_gadget/builds/libc-2.19-7a7914eec99efd40990d0b1978a01caf46612636.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267961, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267968, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 268052, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755213, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755292, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870839, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870851, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885952, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-7ccbbd7f1713d8eebb6042a8da7e9f2ac1878d42.rb b/lib/one_gadget/builds/libc-2.19-7ccbbd7f1713d8eebb6042a8da7e9f2ac1878d42.rb index 1056a2b5..8ff356cd 100644 --- a/lib/one_gadget/builds/libc-2.19-7ccbbd7f1713d8eebb6042a8da7e9f2ac1878d42.rb +++ b/lib/one_gadget/builds/libc-2.19-7ccbbd7f1713d8eebb6042a8da7e9f2ac1878d42.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249543, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249550, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249559, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249595, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249599, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409536, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409540, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409546, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409550, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-7cf04fce2326ced25e80c0d7972408574a0817e6.rb b/lib/one_gadget/builds/libc-2.19-7cf04fce2326ced25e80c0d7972408574a0817e6.rb index dcde4a32..f73f5f6e 100644 --- a/lib/one_gadget/builds/libc-2.19-7cf04fce2326ced25e80c0d7972408574a0817e6.rb +++ b/lib/one_gadget/builds/libc-2.19-7cf04fce2326ced25e80c0d7972408574a0817e6.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274841, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274848, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274932, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755165, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755244, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870272, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 874871, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874883, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-7d415bffb8dbc06c96e116d8e8f0d8deababbd9e.rb b/lib/one_gadget/builds/libc-2.19-7d415bffb8dbc06c96e116d8e8f0d8deababbd9e.rb index cde0576d..33725111 100644 --- a/lib/one_gadget/builds/libc-2.19-7d415bffb8dbc06c96e116d8e8f0d8deababbd9e.rb +++ b/lib/one_gadget/builds/libc-2.19-7d415bffb8dbc06c96e116d8e8f0d8deababbd9e.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274265, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274272, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274356, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753597, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 753676, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 868880, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 873624, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 873636, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-7e523a4a16878ad1fcb7844e93bdd4d474843f86.rb b/lib/one_gadget/builds/libc-2.19-7e523a4a16878ad1fcb7844e93bdd4d474843f86.rb index bc37c96d..07ce18c3 100644 --- a/lib/one_gadget/builds/libc-2.19-7e523a4a16878ad1fcb7844e93bdd4d474843f86.rb +++ b/lib/one_gadget/builds/libc-2.19-7e523a4a16878ad1fcb7844e93bdd4d474843f86.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408832, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408836, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408842, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408846, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-7e97512d5895e6d5e26dc5b26b31c575a80f0188.rb b/lib/one_gadget/builds/libc-2.19-7e97512d5895e6d5e26dc5b26b31c575a80f0188.rb index 0b83a91e..aed6c375 100644 --- a/lib/one_gadget/builds/libc-2.19-7e97512d5895e6d5e26dc5b26b31c575a80f0188.rb +++ b/lib/one_gadget/builds/libc-2.19-7e97512d5895e6d5e26dc5b26b31c575a80f0188.rb @@ -22,22 +22,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 253955, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 253962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 253971, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254007, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254011, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 416399, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 416403, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 416409, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 416413, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-7f380884708f0bac5c779705562e01ccc7ecf223.rb b/lib/one_gadget/builds/libc-2.19-7f380884708f0bac5c779705562e01ccc7ecf223.rb index d7ba383b..1f03119e 100644 --- a/lib/one_gadget/builds/libc-2.19-7f380884708f0bac5c779705562e01ccc7ecf223.rb +++ b/lib/one_gadget/builds/libc-2.19-7f380884708f0bac5c779705562e01ccc7ecf223.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454556, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454578, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454582, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454586, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609859, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609863, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609869, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609873, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-7f6d04c0ad1b67e316c80cd606720675fc111b50.rb b/lib/one_gadget/builds/libc-2.19-7f6d04c0ad1b67e316c80cd606720675fc111b50.rb index 569a1ca9..b9f2c708 100644 --- a/lib/one_gadget/builds/libc-2.19-7f6d04c0ad1b67e316c80cd606720675fc111b50.rb +++ b/lib/one_gadget/builds/libc-2.19-7f6d04c0ad1b67e316c80cd606720675fc111b50.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414679, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414683, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414689, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414693, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-7fbf66aed8b38b67a1a5653e27e9e4d430b9ada6.rb b/lib/one_gadget/builds/libc-2.19-7fbf66aed8b38b67a1a5653e27e9e4d430b9ada6.rb index 456a408f..6d6bc0aa 100644 --- a/lib/one_gadget/builds/libc-2.19-7fbf66aed8b38b67a1a5653e27e9e4d430b9ada6.rb +++ b/lib/one_gadget/builds/libc-2.19-7fbf66aed8b38b67a1a5653e27e9e4d430b9ada6.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406400, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406404, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406410, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406414, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-80c8143bd0180bbeb21b7d8c12687d043ae81c7d.rb b/lib/one_gadget/builds/libc-2.19-80c8143bd0180bbeb21b7d8c12687d043ae81c7d.rb index 9e971e99..f27c16fb 100644 --- a/lib/one_gadget/builds/libc-2.19-80c8143bd0180bbeb21b7d8c12687d043ae81c7d.rb +++ b/lib/one_gadget/builds/libc-2.19-80c8143bd0180bbeb21b7d8c12687d043ae81c7d.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254967, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254974, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254983, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255019, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255023, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415175, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415179, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415185, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415189, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-8131bf46e87501516970176f3f7e86762ffcc3bf.rb b/lib/one_gadget/builds/libc-2.19-8131bf46e87501516970176f3f7e86762ffcc3bf.rb index f2626f59..d51b2891 100644 --- a/lib/one_gadget/builds/libc-2.19-8131bf46e87501516970176f3f7e86762ffcc3bf.rb +++ b/lib/one_gadget/builds/libc-2.19-8131bf46e87501516970176f3f7e86762ffcc3bf.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412743, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412747, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412753, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412757, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-83aef0e751f3dddd4b56c5be57524239e39eecaa.rb b/lib/one_gadget/builds/libc-2.19-83aef0e751f3dddd4b56c5be57524239e39eecaa.rb index 7aa5380f..3461e971 100644 --- a/lib/one_gadget/builds/libc-2.19-83aef0e751f3dddd4b56c5be57524239e39eecaa.rb +++ b/lib/one_gadget/builds/libc-2.19-83aef0e751f3dddd4b56c5be57524239e39eecaa.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452812, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452834, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452838, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452842, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609283, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609287, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609293, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609297, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-83f3af43ecaf52a63801ea59ad113835dfb31d58.rb b/lib/one_gadget/builds/libc-2.19-83f3af43ecaf52a63801ea59ad113835dfb31d58.rb index 5841e40e..fd52f54b 100644 --- a/lib/one_gadget/builds/libc-2.19-83f3af43ecaf52a63801ea59ad113835dfb31d58.rb +++ b/lib/one_gadget/builds/libc-2.19-83f3af43ecaf52a63801ea59ad113835dfb31d58.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 253111, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 253118, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 253127, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 253163, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 253167, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412007, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412011, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412017, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412021, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-845104cd0116005c9b9569fe3c6d5afd3689a01e.rb b/lib/one_gadget/builds/libc-2.19-845104cd0116005c9b9569fe3c6d5afd3689a01e.rb index 3f086db4..bdc5fbb0 100644 --- a/lib/one_gadget/builds/libc-2.19-845104cd0116005c9b9569fe3c6d5afd3689a01e.rb +++ b/lib/one_gadget/builds/libc-2.19-845104cd0116005c9b9569fe3c6d5afd3689a01e.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254311, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254318, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254327, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254363, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254367, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414551, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414555, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414561, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414565, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-8564abd306654cfc468a54117954244e1a2c9102.rb b/lib/one_gadget/builds/libc-2.19-8564abd306654cfc468a54117954244e1a2c9102.rb index ce77a95b..7af7ff08 100644 --- a/lib/one_gadget/builds/libc-2.19-8564abd306654cfc468a54117954244e1a2c9102.rb +++ b/lib/one_gadget/builds/libc-2.19-8564abd306654cfc468a54117954244e1a2c9102.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412775, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412779, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412785, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412789, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-863b5d3db2ef5af0b32dba633dca439a3908c42e.rb b/lib/one_gadget/builds/libc-2.19-863b5d3db2ef5af0b32dba633dca439a3908c42e.rb index e7b4be53..4ec41ac7 100644 --- a/lib/one_gadget/builds/libc-2.19-863b5d3db2ef5af0b32dba633dca439a3908c42e.rb +++ b/lib/one_gadget/builds/libc-2.19-863b5d3db2ef5af0b32dba633dca439a3908c42e.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754269, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754348, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 869879, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 869891, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 884992, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-866e18be92e8dcab711b7c1e3402065deff5df70.rb b/lib/one_gadget/builds/libc-2.19-866e18be92e8dcab711b7c1e3402065deff5df70.rb index 3b86ba8c..532e4d72 100644 --- a/lib/one_gadget/builds/libc-2.19-866e18be92e8dcab711b7c1e3402065deff5df70.rb +++ b/lib/one_gadget/builds/libc-2.19-866e18be92e8dcab711b7c1e3402065deff5df70.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249495, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249502, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249511, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249547, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249551, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409504, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409508, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409514, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409518, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-869f691faebbe08548ec64381e41acf5997c0fb0.rb b/lib/one_gadget/builds/libc-2.19-869f691faebbe08548ec64381e41acf5997c0fb0.rb index 62913672..7fac6039 100644 --- a/lib/one_gadget/builds/libc-2.19-869f691faebbe08548ec64381e41acf5997c0fb0.rb +++ b/lib/one_gadget/builds/libc-2.19-869f691faebbe08548ec64381e41acf5997c0fb0.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406400, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406404, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406410, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406414, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-87805ebef970b79b4a1fb5facb43719a26c335af.rb b/lib/one_gadget/builds/libc-2.19-87805ebef970b79b4a1fb5facb43719a26c335af.rb index dba0439f..cfd935fe 100644 --- a/lib/one_gadget/builds/libc-2.19-87805ebef970b79b4a1fb5facb43719a26c335af.rb +++ b/lib/one_gadget/builds/libc-2.19-87805ebef970b79b4a1fb5facb43719a26c335af.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255271, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255278, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255287, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255323, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255327, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415511, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415515, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415521, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415525, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-887a7db21e668f6153604d9e00d1026137f777ee.rb b/lib/one_gadget/builds/libc-2.19-887a7db21e668f6153604d9e00d1026137f777ee.rb index c0761824..c77329aa 100644 --- a/lib/one_gadget/builds/libc-2.19-887a7db21e668f6153604d9e00d1026137f777ee.rb +++ b/lib/one_gadget/builds/libc-2.19-887a7db21e668f6153604d9e00d1026137f777ee.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412775, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412779, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412785, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412789, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-8b05579712ebaea7cae547f4fc461c0828e9c446.rb b/lib/one_gadget/builds/libc-2.19-8b05579712ebaea7cae547f4fc461c0828e9c446.rb index c99ef800..17af21ce 100644 --- a/lib/one_gadget/builds/libc-2.19-8b05579712ebaea7cae547f4fc461c0828e9c446.rb +++ b/lib/one_gadget/builds/libc-2.19-8b05579712ebaea7cae547f4fc461c0828e9c446.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248167, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248174, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248183, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248219, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248223, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406688, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406692, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406698, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406702, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-8c5d5643cd08bc078f22310103f7c6af4ed37921.rb b/lib/one_gadget/builds/libc-2.19-8c5d5643cd08bc078f22310103f7c6af4ed37921.rb index 8dd5eedb..91dbc2de 100644 --- a/lib/one_gadget/builds/libc-2.19-8c5d5643cd08bc078f22310103f7c6af4ed37921.rb +++ b/lib/one_gadget/builds/libc-2.19-8c5d5643cd08bc078f22310103f7c6af4ed37921.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267209, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267216, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267300, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765341, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765420, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 881207, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881219, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896528, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-8cb4573f8cc3764df7570800247a76dd63d847b4.rb b/lib/one_gadget/builds/libc-2.19-8cb4573f8cc3764df7570800247a76dd63d847b4.rb index e370ebb1..432b89f9 100644 --- a/lib/one_gadget/builds/libc-2.19-8cb4573f8cc3764df7570800247a76dd63d847b4.rb +++ b/lib/one_gadget/builds/libc-2.19-8cb4573f8cc3764df7570800247a76dd63d847b4.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266985, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266992, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267076, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765005, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765084, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 880199, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880211, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895520, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-8d935a42f2f2a1149aa52d3098b32b1d5012cb67.rb b/lib/one_gadget/builds/libc-2.19-8d935a42f2f2a1149aa52d3098b32b1d5012cb67.rb index 75f081db..c2868a7f 100644 --- a/lib/one_gadget/builds/libc-2.19-8d935a42f2f2a1149aa52d3098b32b1d5012cb67.rb +++ b/lib/one_gadget/builds/libc-2.19-8d935a42f2f2a1149aa52d3098b32b1d5012cb67.rb @@ -20,19 +20,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261720, + constraints: ["writable: x21+0x2e0", "{\"sh\", \"-c\", x22, x1, ...} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 261724, - constraints: ["writable: x21+0x2e0", "x3+0x3b0 == NULL"], + constraints: ["writable: x21+0x2e0", "x3+0x3b0 == NULL || {x3+0x3b0, \"-c\", x22, x1, ...} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 261732, - constraints: ["writable: x20", "writable: x21+0x2e0", "[x20] == NULL || x20 == NULL"], + constraints: ["writable: x20", "writable: x21+0x2e0", "[x20] == NULL || x20 == NULL || x20 is a valid argv"], effect: "execve(\"/bin/sh\", x20, environ)") OneGadget::Gadget.add(build_id, 261808, - constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x20] == NULL || x20 == NULL"], + constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x20] == NULL || x20 == NULL || x20 is a valid argv"], effect: "execve(\"/bin/sh\", x20, environ)") OneGadget::Gadget.add(build_id, 261820, - constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[[x0]] == NULL || [x0] == NULL"], + constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[[x0]] == NULL || [x0] == NULL || [x0] is a valid envp"], effect: "execve(\"/bin/sh\", x1, [x0])") OneGadget::Gadget.add(build_id, 261824, - constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL", "[x2] == NULL || x2 == NULL"], + constraints: ["writable: x21+0x2e0", "writable: x24+0x4", "[x1] == NULL || x1 == NULL || x1 is a valid argv", "[x2] == NULL || x2 == NULL || x2 is a valid envp"], effect: "execve(\"/bin/sh\", x1, x2)") diff --git a/lib/one_gadget/builds/libc-2.19-8e4150ea59c3a6fdc9f001ba17274f7c48e4be21.rb b/lib/one_gadget/builds/libc-2.19-8e4150ea59c3a6fdc9f001ba17274f7c48e4be21.rb index c08bc0e8..756e083c 100644 --- a/lib/one_gadget/builds/libc-2.19-8e4150ea59c3a6fdc9f001ba17274f7c48e4be21.rb +++ b/lib/one_gadget/builds/libc-2.19-8e4150ea59c3a6fdc9f001ba17274f7c48e4be21.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267897, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267904, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267988, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755149, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755228, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870775, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870787, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885888, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-8fa762223d6b8ee6d47af7455c691a5e238c8209.rb b/lib/one_gadget/builds/libc-2.19-8fa762223d6b8ee6d47af7455c691a5e238c8209.rb index f7768e9f..4f25ede0 100644 --- a/lib/one_gadget/builds/libc-2.19-8fa762223d6b8ee6d47af7455c691a5e238c8209.rb +++ b/lib/one_gadget/builds/libc-2.19-8fa762223d6b8ee6d47af7455c691a5e238c8209.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248583, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408560, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408564, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408570, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408574, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-90b068141be8b0f52ef8dc93e8327cda87a632bc.rb b/lib/one_gadget/builds/libc-2.19-90b068141be8b0f52ef8dc93e8327cda87a632bc.rb index 02d6bdce..46e3e394 100644 --- a/lib/one_gadget/builds/libc-2.19-90b068141be8b0f52ef8dc93e8327cda87a632bc.rb +++ b/lib/one_gadget/builds/libc-2.19-90b068141be8b0f52ef8dc93e8327cda87a632bc.rb @@ -20,28 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 281025, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 281032, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 281116, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 796211, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 796290, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 937909, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 937921, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 941662, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 963176, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])") diff --git a/lib/one_gadget/builds/libc-2.19-913a7e92e674593c7e1121b0013d81e20cebe85c.rb b/lib/one_gadget/builds/libc-2.19-913a7e92e674593c7e1121b0013d81e20cebe85c.rb index 15bd76db..e46c6911 100644 --- a/lib/one_gadget/builds/libc-2.19-913a7e92e674593c7e1121b0013d81e20cebe85c.rb +++ b/lib/one_gadget/builds/libc-2.19-913a7e92e674593c7e1121b0013d81e20cebe85c.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266985, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266992, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267076, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765005, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765084, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 880199, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880211, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895520, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-9356622cb19154bd2d3bb21e67f188e3cc3e2902.rb b/lib/one_gadget/builds/libc-2.19-9356622cb19154bd2d3bb21e67f188e3cc3e2902.rb index 61665517..57907d7b 100644 --- a/lib/one_gadget/builds/libc-2.19-9356622cb19154bd2d3bb21e67f188e3cc3e2902.rb +++ b/lib/one_gadget/builds/libc-2.19-9356622cb19154bd2d3bb21e67f188e3cc3e2902.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 453564, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 453586, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 453590, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 453594, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610136, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610140, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610146, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610150, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-95287be8acccc7b5723f4306e6a5eca6dfe7bffd.rb b/lib/one_gadget/builds/libc-2.19-95287be8acccc7b5723f4306e6a5eca6dfe7bffd.rb index a95bda3c..02761281 100644 --- a/lib/one_gadget/builds/libc-2.19-95287be8acccc7b5723f4306e6a5eca6dfe7bffd.rb +++ b/lib/one_gadget/builds/libc-2.19-95287be8acccc7b5723f4306e6a5eca6dfe7bffd.rb @@ -20,28 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 281297, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 281304, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 281388, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 793523, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 793602, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 935269, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 935281, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 939084, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 960280, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])") diff --git a/lib/one_gadget/builds/libc-2.19-9a970aa5f863d2ccecd63ceef8bb57d28e55be11.rb b/lib/one_gadget/builds/libc-2.19-9a970aa5f863d2ccecd63ceef8bb57d28e55be11.rb index ed6cbaa2..9ef1ea54 100644 --- a/lib/one_gadget/builds/libc-2.19-9a970aa5f863d2ccecd63ceef8bb57d28e55be11.rb +++ b/lib/one_gadget/builds/libc-2.19-9a970aa5f863d2ccecd63ceef8bb57d28e55be11.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 270395, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 270402, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 270486, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 701581, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 701660, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 822480, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 826475, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 826487, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-9bf807e100d6c152efd7e845c65ecfb92e2e202e.rb b/lib/one_gadget/builds/libc-2.19-9bf807e100d6c152efd7e845c65ecfb92e2e202e.rb index 2f254bf3..096d4c3f 100644 --- a/lib/one_gadget/builds/libc-2.19-9bf807e100d6c152efd7e845c65ecfb92e2e202e.rb +++ b/lib/one_gadget/builds/libc-2.19-9bf807e100d6c152efd7e845c65ecfb92e2e202e.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412743, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412747, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412753, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412757, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-9d1dd2edd9ada4b73ddc73ea10ba1c9ef0810248.rb b/lib/one_gadget/builds/libc-2.19-9d1dd2edd9ada4b73ddc73ea10ba1c9ef0810248.rb index 94a0e5d9..d3088b16 100644 --- a/lib/one_gadget/builds/libc-2.19-9d1dd2edd9ada4b73ddc73ea10ba1c9ef0810248.rb +++ b/lib/one_gadget/builds/libc-2.19-9d1dd2edd9ada4b73ddc73ea10ba1c9ef0810248.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754717, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754796, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870583, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870595, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885904, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-9e817f4c472417e94d161b392e13d6aeb76f0b5a.rb b/lib/one_gadget/builds/libc-2.19-9e817f4c472417e94d161b392e13d6aeb76f0b5a.rb index 303adcad..91a66e83 100644 --- a/lib/one_gadget/builds/libc-2.19-9e817f4c472417e94d161b392e13d6aeb76f0b5a.rb +++ b/lib/one_gadget/builds/libc-2.19-9e817f4c472417e94d161b392e13d6aeb76f0b5a.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412615, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412619, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412625, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412629, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a13df1fb206f167af0eef4d438f3949d80f8bce3.rb b/lib/one_gadget/builds/libc-2.19-a13df1fb206f167af0eef4d438f3949d80f8bce3.rb index cab30f2a..7cea9e51 100644 --- a/lib/one_gadget/builds/libc-2.19-a13df1fb206f167af0eef4d438f3949d80f8bce3.rb +++ b/lib/one_gadget/builds/libc-2.19-a13df1fb206f167af0eef4d438f3949d80f8bce3.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754269, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754348, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 869895, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 869907, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885008, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-a1818c2dd8e7c4a3d4f61270b4b29330d6b51391.rb b/lib/one_gadget/builds/libc-2.19-a1818c2dd8e7c4a3d4f61270b4b29330d6b51391.rb index b813abd0..ff4a837f 100644 --- a/lib/one_gadget/builds/libc-2.19-a1818c2dd8e7c4a3d4f61270b4b29330d6b51391.rb +++ b/lib/one_gadget/builds/libc-2.19-a1818c2dd8e7c4a3d4f61270b4b29330d6b51391.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248055, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248062, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248071, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248107, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248111, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406576, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406580, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406586, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406590, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a2d884479c5c8f73fbb82e6fefa5083623826cc1.rb b/lib/one_gadget/builds/libc-2.19-a2d884479c5c8f73fbb82e6fefa5083623826cc1.rb index e453d3ff..ade62a3b 100644 --- a/lib/one_gadget/builds/libc-2.19-a2d884479c5c8f73fbb82e6fefa5083623826cc1.rb +++ b/lib/one_gadget/builds/libc-2.19-a2d884479c5c8f73fbb82e6fefa5083623826cc1.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248055, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248062, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248071, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248107, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248111, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406576, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406580, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406586, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406590, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a3386004b2a158b95ba4c26c01e421e6c2191a47.rb b/lib/one_gadget/builds/libc-2.19-a3386004b2a158b95ba4c26c01e421e6c2191a47.rb index 1937cb08..866d5b49 100644 --- a/lib/one_gadget/builds/libc-2.19-a3386004b2a158b95ba4c26c01e421e6c2191a47.rb +++ b/lib/one_gadget/builds/libc-2.19-a3386004b2a158b95ba4c26c01e421e6c2191a47.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248135, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248142, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248151, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248187, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248191, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408704, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408708, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408714, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408718, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a3c88cff23421ec2e3c97860bdf28868592ed14c.rb b/lib/one_gadget/builds/libc-2.19-a3c88cff23421ec2e3c97860bdf28868592ed14c.rb index 33680f25..cc4b0182 100644 --- a/lib/one_gadget/builds/libc-2.19-a3c88cff23421ec2e3c97860bdf28868592ed14c.rb +++ b/lib/one_gadget/builds/libc-2.19-a3c88cff23421ec2e3c97860bdf28868592ed14c.rb @@ -21,22 +21,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 242675, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 242677, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 242681, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 242688, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 242723, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 242724, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 412260, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.19-a3ebc8ad2873288cbd2a510de65161c697310e5c.rb b/lib/one_gadget/builds/libc-2.19-a3ebc8ad2873288cbd2a510de65161c697310e5c.rb index ba5720a5..b85bd1fb 100644 --- a/lib/one_gadget/builds/libc-2.19-a3ebc8ad2873288cbd2a510de65161c697310e5c.rb +++ b/lib/one_gadget/builds/libc-2.19-a3ebc8ad2873288cbd2a510de65161c697310e5c.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249543, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249550, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249559, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249595, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249599, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409504, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409508, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409514, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409518, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a4b13a91fc5d961be3e1a68a30938ba840ae4290.rb b/lib/one_gadget/builds/libc-2.19-a4b13a91fc5d961be3e1a68a30938ba840ae4290.rb index 73122111..2246df72 100644 --- a/lib/one_gadget/builds/libc-2.19-a4b13a91fc5d961be3e1a68a30938ba840ae4290.rb +++ b/lib/one_gadget/builds/libc-2.19-a4b13a91fc5d961be3e1a68a30938ba840ae4290.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 256267, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 256274, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 256283, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 256319, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 256323, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 420079, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 420083, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 420089, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 420093, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a6222959a65e5367ec3f2b54d7f114f6a2c8ce28.rb b/lib/one_gadget/builds/libc-2.19-a6222959a65e5367ec3f2b54d7f114f6a2c8ce28.rb index 81c52f4d..5c377681 100644 --- a/lib/one_gadget/builds/libc-2.19-a6222959a65e5367ec3f2b54d7f114f6a2c8ce28.rb +++ b/lib/one_gadget/builds/libc-2.19-a6222959a65e5367ec3f2b54d7f114f6a2c8ce28.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255635, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255642, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255651, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255687, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255691, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415079, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415083, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415089, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415093, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a62a3aed804ccd4faac1ae52ee39165dd1cf4ebe.rb b/lib/one_gadget/builds/libc-2.19-a62a3aed804ccd4faac1ae52ee39165dd1cf4ebe.rb index df9bd4f8..ff9f7a9a 100644 --- a/lib/one_gadget/builds/libc-2.19-a62a3aed804ccd4faac1ae52ee39165dd1cf4ebe.rb +++ b/lib/one_gadget/builds/libc-2.19-a62a3aed804ccd4faac1ae52ee39165dd1cf4ebe.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609331, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609335, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609341, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609345, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a71e7ba2ffe12012ab7e5c0ff7d83d6f627a7548.rb b/lib/one_gadget/builds/libc-2.19-a71e7ba2ffe12012ab7e5c0ff7d83d6f627a7548.rb index 1a7f716a..3533b43b 100644 --- a/lib/one_gadget/builds/libc-2.19-a71e7ba2ffe12012ab7e5c0ff7d83d6f627a7548.rb +++ b/lib/one_gadget/builds/libc-2.19-a71e7ba2ffe12012ab7e5c0ff7d83d6f627a7548.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452924, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452946, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452950, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452954, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609395, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609399, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609405, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609409, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a7204938a680127c01c9799462c3b33035f06358.rb b/lib/one_gadget/builds/libc-2.19-a7204938a680127c01c9799462c3b33035f06358.rb index 4412fbbd..aab50397 100644 --- a/lib/one_gadget/builds/libc-2.19-a7204938a680127c01c9799462c3b33035f06358.rb +++ b/lib/one_gadget/builds/libc-2.19-a7204938a680127c01c9799462c3b33035f06358.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248167, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248174, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248183, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248219, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248223, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406672, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406676, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406682, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406686, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a77581d3046ec7a2176ba4bebc222562668d9fd6.rb b/lib/one_gadget/builds/libc-2.19-a77581d3046ec7a2176ba4bebc222562668d9fd6.rb index a7cafdfe..66f4a650 100644 --- a/lib/one_gadget/builds/libc-2.19-a77581d3046ec7a2176ba4bebc222562668d9fd6.rb +++ b/lib/one_gadget/builds/libc-2.19-a77581d3046ec7a2176ba4bebc222562668d9fd6.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248407, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248414, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248423, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248459, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248463, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406208, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406212, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406218, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406222, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a77d09f3b8cbad4c430378157308f6cb71549a5a.rb b/lib/one_gadget/builds/libc-2.19-a77d09f3b8cbad4c430378157308f6cb71549a5a.rb index a0647503..eee97a37 100644 --- a/lib/one_gadget/builds/libc-2.19-a77d09f3b8cbad4c430378157308f6cb71549a5a.rb +++ b/lib/one_gadget/builds/libc-2.19-a77d09f3b8cbad4c430378157308f6cb71549a5a.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412775, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412779, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412785, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412789, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a7e2264ecf52a64ea3ab55163132240c3142eafd.rb b/lib/one_gadget/builds/libc-2.19-a7e2264ecf52a64ea3ab55163132240c3142eafd.rb index dab08a05..e1336df5 100644 --- a/lib/one_gadget/builds/libc-2.19-a7e2264ecf52a64ea3ab55163132240c3142eafd.rb +++ b/lib/one_gadget/builds/libc-2.19-a7e2264ecf52a64ea3ab55163132240c3142eafd.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412615, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412619, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412625, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412629, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a820f849dda0b99ed06dd59bb88404969b3a5f88.rb b/lib/one_gadget/builds/libc-2.19-a820f849dda0b99ed06dd59bb88404969b3a5f88.rb index fcc20e40..d7a6d053 100644 --- a/lib/one_gadget/builds/libc-2.19-a820f849dda0b99ed06dd59bb88404969b3a5f88.rb +++ b/lib/one_gadget/builds/libc-2.19-a820f849dda0b99ed06dd59bb88404969b3a5f88.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262563, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 262570, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262579, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262615, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 262619, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415381, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415385, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415391, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415395, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-a9f67b66e93e0abd79f1d8028188377397e4536b.rb b/lib/one_gadget/builds/libc-2.19-a9f67b66e93e0abd79f1d8028188377397e4536b.rb index 3c0ed542..1cfd6004 100644 --- a/lib/one_gadget/builds/libc-2.19-a9f67b66e93e0abd79f1d8028188377397e4536b.rb +++ b/lib/one_gadget/builds/libc-2.19-a9f67b66e93e0abd79f1d8028188377397e4536b.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261639, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261646, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261655, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261691, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261695, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415015, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415019, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415025, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415029, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-ab474a836c41aed0f0bad2ddc66388253bfa75af.rb b/lib/one_gadget/builds/libc-2.19-ab474a836c41aed0f0bad2ddc66388253bfa75af.rb index d29818bf..d3243649 100644 --- a/lib/one_gadget/builds/libc-2.19-ab474a836c41aed0f0bad2ddc66388253bfa75af.rb +++ b/lib/one_gadget/builds/libc-2.19-ab474a836c41aed0f0bad2ddc66388253bfa75af.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 453804, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 453826, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 453830, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 453834, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610355, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610359, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610365, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610369, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-ad03e0bcbda2213489f10a6bf63a7f5fe3dd6558.rb b/lib/one_gadget/builds/libc-2.19-ad03e0bcbda2213489f10a6bf63a7f5fe3dd6558.rb index e92bc144..0d2d0a67 100644 --- a/lib/one_gadget/builds/libc-2.19-ad03e0bcbda2213489f10a6bf63a7f5fe3dd6558.rb +++ b/lib/one_gadget/builds/libc-2.19-ad03e0bcbda2213489f10a6bf63a7f5fe3dd6558.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267897, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267904, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267988, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755149, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755228, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870775, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870787, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885888, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-ad91c7db0fad11b03e3ce92eda28f673cb36db5d.rb b/lib/one_gadget/builds/libc-2.19-ad91c7db0fad11b03e3ce92eda28f673cb36db5d.rb index 75f53f01..2e0c58e2 100644 --- a/lib/one_gadget/builds/libc-2.19-ad91c7db0fad11b03e3ce92eda28f673cb36db5d.rb +++ b/lib/one_gadget/builds/libc-2.19-ad91c7db0fad11b03e3ce92eda28f673cb36db5d.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255223, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255230, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255239, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255275, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255279, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415463, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415467, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415473, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415477, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-adf7d21d8b442e6b601ad3dcc180608193d2d041.rb b/lib/one_gadget/builds/libc-2.19-adf7d21d8b442e6b601ad3dcc180608193d2d041.rb index 2e87d804..aca4a4bb 100644 --- a/lib/one_gadget/builds/libc-2.19-adf7d21d8b442e6b601ad3dcc180608193d2d041.rb +++ b/lib/one_gadget/builds/libc-2.19-adf7d21d8b442e6b601ad3dcc180608193d2d041.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 453900, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 453922, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 453926, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 453930, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609155, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609159, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609165, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609169, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-b166aefc9dff38869ad893bea2e9ce5e848628b1.rb b/lib/one_gadget/builds/libc-2.19-b166aefc9dff38869ad893bea2e9ce5e848628b1.rb index 92b67349..d5dfa99b 100644 --- a/lib/one_gadget/builds/libc-2.19-b166aefc9dff38869ad893bea2e9ce5e848628b1.rb +++ b/lib/one_gadget/builds/libc-2.19-b166aefc9dff38869ad893bea2e9ce5e848628b1.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261639, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261646, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261655, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261691, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261695, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415015, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415019, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415025, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415029, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-b2c58c0aaead4cc02a5ad606edf4284ca598c0ef.rb b/lib/one_gadget/builds/libc-2.19-b2c58c0aaead4cc02a5ad606edf4284ca598c0ef.rb index 1fc3e4a4..23ca6206 100644 --- a/lib/one_gadget/builds/libc-2.19-b2c58c0aaead4cc02a5ad606edf4284ca598c0ef.rb +++ b/lib/one_gadget/builds/libc-2.19-b2c58c0aaead4cc02a5ad606edf4284ca598c0ef.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255491, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255498, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255507, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255543, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255547, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 417271, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 417275, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 417281, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 417285, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-b32788d3f2b080bd447b295cf59ace25fbfce313.rb b/lib/one_gadget/builds/libc-2.19-b32788d3f2b080bd447b295cf59ace25fbfce313.rb index bbcb8938..f3004ad8 100644 --- a/lib/one_gadget/builds/libc-2.19-b32788d3f2b080bd447b295cf59ace25fbfce313.rb +++ b/lib/one_gadget/builds/libc-2.19-b32788d3f2b080bd447b295cf59ace25fbfce313.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262523, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262530, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262614, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 700557, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 700636, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 822251, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 822263, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 837392, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-b4fbe819a1dc946528b4added1887eb9ca130275.rb b/lib/one_gadget/builds/libc-2.19-b4fbe819a1dc946528b4added1887eb9ca130275.rb index 54850c73..c1738535 100644 --- a/lib/one_gadget/builds/libc-2.19-b4fbe819a1dc946528b4added1887eb9ca130275.rb +++ b/lib/one_gadget/builds/libc-2.19-b4fbe819a1dc946528b4added1887eb9ca130275.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 607171, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 607175, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607181, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607185, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-b571f83a8a6f5bb22d3558cddda9f943a2a67fd1.rb b/lib/one_gadget/builds/libc-2.19-b571f83a8a6f5bb22d3558cddda9f943a2a67fd1.rb index 1147b2ee..f22ee59f 100644 --- a/lib/one_gadget/builds/libc-2.19-b571f83a8a6f5bb22d3558cddda9f943a2a67fd1.rb +++ b/lib/one_gadget/builds/libc-2.19-b571f83a8a6f5bb22d3558cddda9f943a2a67fd1.rb @@ -20,28 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 288641, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 288648, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 288732, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 797491, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 797570, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 940184, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])") OneGadget::Gadget.add(build_id, 943717, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 943729, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 947558, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.19-b700a5d57528fde5c441b020bcc4e19a9099e05b.rb b/lib/one_gadget/builds/libc-2.19-b700a5d57528fde5c441b020bcc4e19a9099e05b.rb index 811eae72..38efa1f2 100644 --- a/lib/one_gadget/builds/libc-2.19-b700a5d57528fde5c441b020bcc4e19a9099e05b.rb +++ b/lib/one_gadget/builds/libc-2.19-b700a5d57528fde5c441b020bcc4e19a9099e05b.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261359, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261366, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261375, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261411, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261415, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412736, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412740, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412746, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412750, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-b71ed2c38888a9d0e2c977877193e01a64e97a5d.rb b/lib/one_gadget/builds/libc-2.19-b71ed2c38888a9d0e2c977877193e01a64e97a5d.rb index 09b35a83..3ac475c5 100644 --- a/lib/one_gadget/builds/libc-2.19-b71ed2c38888a9d0e2c977877193e01a64e97a5d.rb +++ b/lib/one_gadget/builds/libc-2.19-b71ed2c38888a9d0e2c977877193e01a64e97a5d.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249495, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249502, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249511, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249547, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249551, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409472, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409476, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409482, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409486, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-b9082b0162f9d256c1ccf28b9d35d2cce9f6a6a4.rb b/lib/one_gadget/builds/libc-2.19-b9082b0162f9d256c1ccf28b9d35d2cce9f6a6a4.rb index e8d0c81a..33b0f53a 100644 --- a/lib/one_gadget/builds/libc-2.19-b9082b0162f9d256c1ccf28b9d35d2cce9f6a6a4.rb +++ b/lib/one_gadget/builds/libc-2.19-b9082b0162f9d256c1ccf28b9d35d2cce9f6a6a4.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412775, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412779, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412785, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412789, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-ba1b1c588dbf0ebb80c646060af92e5a93825fee.rb b/lib/one_gadget/builds/libc-2.19-ba1b1c588dbf0ebb80c646060af92e5a93825fee.rb index 23034497..ce96c811 100644 --- a/lib/one_gadget/builds/libc-2.19-ba1b1c588dbf0ebb80c646060af92e5a93825fee.rb +++ b/lib/one_gadget/builds/libc-2.19-ba1b1c588dbf0ebb80c646060af92e5a93825fee.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249239, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249246, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249255, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249291, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249295, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409248, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409252, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409258, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409262, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-bb34f13b7ae5fe42cdd14b96dc278f9726424cac.rb b/lib/one_gadget/builds/libc-2.19-bb34f13b7ae5fe42cdd14b96dc278f9726424cac.rb index e0a0f6e1..0f37c027 100644 --- a/lib/one_gadget/builds/libc-2.19-bb34f13b7ae5fe42cdd14b96dc278f9726424cac.rb +++ b/lib/one_gadget/builds/libc-2.19-bb34f13b7ae5fe42cdd14b96dc278f9726424cac.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406432, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406436, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406442, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406446, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-bb91233a6ef2a6c754a8ff20f7ba117d7d57707a.rb b/lib/one_gadget/builds/libc-2.19-bb91233a6ef2a6c754a8ff20f7ba117d7d57707a.rb index b35dc376..3fda97eb 100644 --- a/lib/one_gadget/builds/libc-2.19-bb91233a6ef2a6c754a8ff20f7ba117d7d57707a.rb +++ b/lib/one_gadget/builds/libc-2.19-bb91233a6ef2a6c754a8ff20f7ba117d7d57707a.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262555, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262562, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262646, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 701421, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 701500, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 823343, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 823355, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 838672, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-bd25bd030c2467d343581ee0d8d8aa7a32c7aa29.rb b/lib/one_gadget/builds/libc-2.19-bd25bd030c2467d343581ee0d8d8aa7a32c7aa29.rb index e62931ab..69ed96d1 100644 --- a/lib/one_gadget/builds/libc-2.19-bd25bd030c2467d343581ee0d8d8aa7a32c7aa29.rb +++ b/lib/one_gadget/builds/libc-2.19-bd25bd030c2467d343581ee0d8d8aa7a32c7aa29.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255911, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 255918, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255927, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255963, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255967, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409056, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409060, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409066, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409070, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-bd69ec1fafeef65209d9874025fd45e093b23144.rb b/lib/one_gadget/builds/libc-2.19-bd69ec1fafeef65209d9874025fd45e093b23144.rb index 8a10e5f5..81a0958d 100644 --- a/lib/one_gadget/builds/libc-2.19-bd69ec1fafeef65209d9874025fd45e093b23144.rb +++ b/lib/one_gadget/builds/libc-2.19-bd69ec1fafeef65209d9874025fd45e093b23144.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248583, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408560, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408564, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408570, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408574, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-be4425690f42dd1807770d974ff87b88c51d306d.rb b/lib/one_gadget/builds/libc-2.19-be4425690f42dd1807770d974ff87b88c51d306d.rb index 733692c2..8e2103d4 100644 --- a/lib/one_gadget/builds/libc-2.19-be4425690f42dd1807770d974ff87b88c51d306d.rb +++ b/lib/one_gadget/builds/libc-2.19-be4425690f42dd1807770d974ff87b88c51d306d.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406400, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406404, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406410, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406414, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-bf368b38f238cfe2c12eac2b487ee8ae58a3a0d8.rb b/lib/one_gadget/builds/libc-2.19-bf368b38f238cfe2c12eac2b487ee8ae58a3a0d8.rb index 7a543a4e..5f143332 100644 --- a/lib/one_gadget/builds/libc-2.19-bf368b38f238cfe2c12eac2b487ee8ae58a3a0d8.rb +++ b/lib/one_gadget/builds/libc-2.19-bf368b38f238cfe2c12eac2b487ee8ae58a3a0d8.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255223, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255230, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255239, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255275, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255279, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415463, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415467, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415473, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415477, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-c00c9b70ba01f92a952474258bed608c3e7be6b9.rb b/lib/one_gadget/builds/libc-2.19-c00c9b70ba01f92a952474258bed608c3e7be6b9.rb index 291aa8fa..4a939530 100644 --- a/lib/one_gadget/builds/libc-2.19-c00c9b70ba01f92a952474258bed608c3e7be6b9.rb +++ b/lib/one_gadget/builds/libc-2.19-c00c9b70ba01f92a952474258bed608c3e7be6b9.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412743, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412747, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412753, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412757, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-c0ee9400445c93ecbc8562e006a8b95ed4d07834.rb b/lib/one_gadget/builds/libc-2.19-c0ee9400445c93ecbc8562e006a8b95ed4d07834.rb index 699087d4..051308a7 100644 --- a/lib/one_gadget/builds/libc-2.19-c0ee9400445c93ecbc8562e006a8b95ed4d07834.rb +++ b/lib/one_gadget/builds/libc-2.19-c0ee9400445c93ecbc8562e006a8b95ed4d07834.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248583, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408528, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408532, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408538, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408542, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-c24f77af0c861079dbcbbdf09f4b8eee8eb7130c.rb b/lib/one_gadget/builds/libc-2.19-c24f77af0c861079dbcbbdf09f4b8eee8eb7130c.rb index 36e048ba..35fe5be1 100644 --- a/lib/one_gadget/builds/libc-2.19-c24f77af0c861079dbcbbdf09f4b8eee8eb7130c.rb +++ b/lib/one_gadget/builds/libc-2.19-c24f77af0c861079dbcbbdf09f4b8eee8eb7130c.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412647, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412651, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412657, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412661, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-c379cc4f4e8a55319c70e4d3ce4dc2a4c30f151a.rb b/lib/one_gadget/builds/libc-2.19-c379cc4f4e8a55319c70e4d3ce4dc2a4c30f151a.rb index 90da39a9..647afa9d 100644 --- a/lib/one_gadget/builds/libc-2.19-c379cc4f4e8a55319c70e4d3ce4dc2a4c30f151a.rb +++ b/lib/one_gadget/builds/libc-2.19-c379cc4f4e8a55319c70e4d3ce4dc2a4c30f151a.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248583, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408528, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408532, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408538, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408542, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-c40027c0c6f76c27293f7570888b9d64e1a93285.rb b/lib/one_gadget/builds/libc-2.19-c40027c0c6f76c27293f7570888b9d64e1a93285.rb index 301e802c..3c25b93e 100644 --- a/lib/one_gadget/builds/libc-2.19-c40027c0c6f76c27293f7570888b9d64e1a93285.rb +++ b/lib/one_gadget/builds/libc-2.19-c40027c0c6f76c27293f7570888b9d64e1a93285.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261639, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261646, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261655, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261691, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261695, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414983, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414987, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414993, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414997, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-c41ed0ae53a1a559a44a1140c77c3b274a38e442.rb b/lib/one_gadget/builds/libc-2.19-c41ed0ae53a1a559a44a1140c77c3b274a38e442.rb index 620c623c..a4bb6d42 100644 --- a/lib/one_gadget/builds/libc-2.19-c41ed0ae53a1a559a44a1140c77c3b274a38e442.rb +++ b/lib/one_gadget/builds/libc-2.19-c41ed0ae53a1a559a44a1140c77c3b274a38e442.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412775, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412779, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412785, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412789, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-c4278754b0c28c437e1e5bd195d82b6d9e4a6d73.rb b/lib/one_gadget/builds/libc-2.19-c4278754b0c28c437e1e5bd195d82b6d9e4a6d73.rb index 4361eae4..497ff1c2 100644 --- a/lib/one_gadget/builds/libc-2.19-c4278754b0c28c437e1e5bd195d82b6d9e4a6d73.rb +++ b/lib/one_gadget/builds/libc-2.19-c4278754b0c28c437e1e5bd195d82b6d9e4a6d73.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756893, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 756972, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 872759, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 872771, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 888080, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-c46746723526fa9feb3cdf4218ec24c9179131ad.rb b/lib/one_gadget/builds/libc-2.19-c46746723526fa9feb3cdf4218ec24c9179131ad.rb index 6d97c429..033074c1 100644 --- a/lib/one_gadget/builds/libc-2.19-c46746723526fa9feb3cdf4218ec24c9179131ad.rb +++ b/lib/one_gadget/builds/libc-2.19-c46746723526fa9feb3cdf4218ec24c9179131ad.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 453772, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 453794, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 453798, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 453802, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609027, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609031, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609037, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609041, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-c5affb5af2f506eb7d48c471160790d4c24e81ae.rb b/lib/one_gadget/builds/libc-2.19-c5affb5af2f506eb7d48c471160790d4c24e81ae.rb index 2052471a..0315c57d 100644 --- a/lib/one_gadget/builds/libc-2.19-c5affb5af2f506eb7d48c471160790d4c24e81ae.rb +++ b/lib/one_gadget/builds/libc-2.19-c5affb5af2f506eb7d48c471160790d4c24e81ae.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262411, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262418, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262502, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 711613, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 711692, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 833551, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 833563, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 848880, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-c5e45bf4881c526999786f4dd2718042b20e582c.rb b/lib/one_gadget/builds/libc-2.19-c5e45bf4881c526999786f4dd2718042b20e582c.rb index e1d01694..68915b89 100644 --- a/lib/one_gadget/builds/libc-2.19-c5e45bf4881c526999786f4dd2718042b20e582c.rb +++ b/lib/one_gadget/builds/libc-2.19-c5e45bf4881c526999786f4dd2718042b20e582c.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406432, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406436, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406442, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406446, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-c7cab037359898862b1584a1e3c3372683daad3f.rb b/lib/one_gadget/builds/libc-2.19-c7cab037359898862b1584a1e3c3372683daad3f.rb index 63799b44..37994c7d 100644 --- a/lib/one_gadget/builds/libc-2.19-c7cab037359898862b1584a1e3c3372683daad3f.rb +++ b/lib/one_gadget/builds/libc-2.19-c7cab037359898862b1584a1e3c3372683daad3f.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266985, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266992, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267076, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765005, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765084, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 880199, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880211, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895520, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-c83833a5f5ca5636f8f914c2c9f1726860fce8b1.rb b/lib/one_gadget/builds/libc-2.19-c83833a5f5ca5636f8f914c2c9f1726860fce8b1.rb index 95ed676d..bdc5d859 100644 --- a/lib/one_gadget/builds/libc-2.19-c83833a5f5ca5636f8f914c2c9f1726860fce8b1.rb +++ b/lib/one_gadget/builds/libc-2.19-c83833a5f5ca5636f8f914c2c9f1726860fce8b1.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609411, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609415, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609421, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609425, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-cad76dba04139f928612ee55bf9e14b74e1b7c3f.rb b/lib/one_gadget/builds/libc-2.19-cad76dba04139f928612ee55bf9e14b74e1b7c3f.rb index 8b0dc337..35ada2ab 100644 --- a/lib/one_gadget/builds/libc-2.19-cad76dba04139f928612ee55bf9e14b74e1b7c3f.rb +++ b/lib/one_gadget/builds/libc-2.19-cad76dba04139f928612ee55bf9e14b74e1b7c3f.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 461228, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 461250, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 461254, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 461258, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609752, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609756, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609762, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609766, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-cafa8de523249f48aebec877e9f45f904e4d62a4.rb b/lib/one_gadget/builds/libc-2.19-cafa8de523249f48aebec877e9f45f904e4d62a4.rb index 7ced12c4..1bac4be3 100644 --- a/lib/one_gadget/builds/libc-2.19-cafa8de523249f48aebec877e9f45f904e4d62a4.rb +++ b/lib/one_gadget/builds/libc-2.19-cafa8de523249f48aebec877e9f45f904e4d62a4.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412743, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412747, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412753, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412757, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-cb46f5139038116d66a73281a3aca373f8ac7428.rb b/lib/one_gadget/builds/libc-2.19-cb46f5139038116d66a73281a3aca373f8ac7428.rb index 8731b083..3a57fa3f 100644 --- a/lib/one_gadget/builds/libc-2.19-cb46f5139038116d66a73281a3aca373f8ac7428.rb +++ b/lib/one_gadget/builds/libc-2.19-cb46f5139038116d66a73281a3aca373f8ac7428.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249239, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249246, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249255, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249291, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249295, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409216, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409220, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409226, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409230, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-cb6e2a7a6812e08f621a5c6b5b3372ab5126fc84.rb b/lib/one_gadget/builds/libc-2.19-cb6e2a7a6812e08f621a5c6b5b3372ab5126fc84.rb index e00a6806..bed53dda 100644 --- a/lib/one_gadget/builds/libc-2.19-cb6e2a7a6812e08f621a5c6b5b3372ab5126fc84.rb +++ b/lib/one_gadget/builds/libc-2.19-cb6e2a7a6812e08f621a5c6b5b3372ab5126fc84.rb @@ -21,22 +21,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 242643, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 242645, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 242649, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 242656, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 242691, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 242692, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 412228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.19-cb8c8a8edf5ff17d2df7e68e63f6cb242d85b524.rb b/lib/one_gadget/builds/libc-2.19-cb8c8a8edf5ff17d2df7e68e63f6cb242d85b524.rb index 0c143ff7..02c00e2a 100644 --- a/lib/one_gadget/builds/libc-2.19-cb8c8a8edf5ff17d2df7e68e63f6cb242d85b524.rb +++ b/lib/one_gadget/builds/libc-2.19-cb8c8a8edf5ff17d2df7e68e63f6cb242d85b524.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406432, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406436, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406442, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406446, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-cba6f22d1ee9163390664add53a9ef135c664903.rb b/lib/one_gadget/builds/libc-2.19-cba6f22d1ee9163390664add53a9ef135c664903.rb index de89bc9c..e29b62a9 100644 --- a/lib/one_gadget/builds/libc-2.19-cba6f22d1ee9163390664add53a9ef135c664903.rb +++ b/lib/one_gadget/builds/libc-2.19-cba6f22d1ee9163390664add53a9ef135c664903.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606995, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606999, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607005, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607009, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-ce25be66ee91861336df34413f53446cb41a2601.rb b/lib/one_gadget/builds/libc-2.19-ce25be66ee91861336df34413f53446cb41a2601.rb index dfc4aa6f..ac9316bb 100644 --- a/lib/one_gadget/builds/libc-2.19-ce25be66ee91861336df34413f53446cb41a2601.rb +++ b/lib/one_gadget/builds/libc-2.19-ce25be66ee91861336df34413f53446cb41a2601.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267081, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267088, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267172, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754717, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754796, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870583, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870595, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885904, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-cf43a056242aa025a153e4a7b6698edd7497f305.rb b/lib/one_gadget/builds/libc-2.19-cf43a056242aa025a153e4a7b6698edd7497f305.rb index 3e16226b..d431dd17 100644 --- a/lib/one_gadget/builds/libc-2.19-cf43a056242aa025a153e4a7b6698edd7497f305.rb +++ b/lib/one_gadget/builds/libc-2.19-cf43a056242aa025a153e4a7b6698edd7497f305.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 607171, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 607175, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607181, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607185, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.rb b/lib/one_gadget/builds/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.rb index f6f81f4e..1ad575da 100644 --- a/lib/one_gadget/builds/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.rb +++ b/lib/one_gadget/builds/libc-2.19-cf699a15caae64f50311fc4655b86dc39a479789.rb @@ -20,28 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 287777, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287784, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287868, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 793507, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 793586, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 936296, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])") OneGadget::Gadget.add(build_id, 939877, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 939889, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 943805, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.19-d06fb2560475e149d6d2401eae955164eb8262fa.rb b/lib/one_gadget/builds/libc-2.19-d06fb2560475e149d6d2401eae955164eb8262fa.rb index 73145925..dd102c81 100644 --- a/lib/one_gadget/builds/libc-2.19-d06fb2560475e149d6d2401eae955164eb8262fa.rb +++ b/lib/one_gadget/builds/libc-2.19-d06fb2560475e149d6d2401eae955164eb8262fa.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 461228, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 461250, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 461254, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 461258, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609752, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609756, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609762, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609766, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-d11506d7facb213bd2c6063f010a42fa9d723879.rb b/lib/one_gadget/builds/libc-2.19-d11506d7facb213bd2c6063f010a42fa9d723879.rb index 830d9fe2..6b374a1d 100644 --- a/lib/one_gadget/builds/libc-2.19-d11506d7facb213bd2c6063f010a42fa9d723879.rb +++ b/lib/one_gadget/builds/libc-2.19-d11506d7facb213bd2c6063f010a42fa9d723879.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454092, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454114, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454118, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454122, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 607171, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 607175, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 607181, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 607185, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-d1c6ec21d9d74bb0d866a08635b1fc075c4a2e40.rb b/lib/one_gadget/builds/libc-2.19-d1c6ec21d9d74bb0d866a08635b1fc075c4a2e40.rb index 158dfa99..3201835a 100644 --- a/lib/one_gadget/builds/libc-2.19-d1c6ec21d9d74bb0d866a08635b1fc075c4a2e40.rb +++ b/lib/one_gadget/builds/libc-2.19-d1c6ec21d9d74bb0d866a08635b1fc075c4a2e40.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406432, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406436, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406442, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406446, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-d2b9e70520a7dbf92895b3d08c9e6a92010571cf.rb b/lib/one_gadget/builds/libc-2.19-d2b9e70520a7dbf92895b3d08c9e6a92010571cf.rb index 67e17291..de14c2af 100644 --- a/lib/one_gadget/builds/libc-2.19-d2b9e70520a7dbf92895b3d08c9e6a92010571cf.rb +++ b/lib/one_gadget/builds/libc-2.19-d2b9e70520a7dbf92895b3d08c9e6a92010571cf.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412743, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412747, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412753, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412757, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-d56aa9d47cf61192f75e28fef805c0ce20502157.rb b/lib/one_gadget/builds/libc-2.19-d56aa9d47cf61192f75e28fef805c0ce20502157.rb index 9067c24a..8a8074ee 100644 --- a/lib/one_gadget/builds/libc-2.19-d56aa9d47cf61192f75e28fef805c0ce20502157.rb +++ b/lib/one_gadget/builds/libc-2.19-d56aa9d47cf61192f75e28fef805c0ce20502157.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 263451, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 263458, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 263542, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 701565, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 701644, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 823243, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 823255, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 838384, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-d66b201cb2987a585890d4be28cf92dad14cb760.rb b/lib/one_gadget/builds/libc-2.19-d66b201cb2987a585890d4be28cf92dad14cb760.rb index ec592cec..4b58a42e 100644 --- a/lib/one_gadget/builds/libc-2.19-d66b201cb2987a585890d4be28cf92dad14cb760.rb +++ b/lib/one_gadget/builds/libc-2.19-d66b201cb2987a585890d4be28cf92dad14cb760.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267865, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267872, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267956, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754877, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754956, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870503, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870515, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885520, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-d6c3d9e55db8600672a2ef744f57aa84e6bea41a.rb b/lib/one_gadget/builds/libc-2.19-d6c3d9e55db8600672a2ef744f57aa84e6bea41a.rb index cd10ca7d..15f241ba 100644 --- a/lib/one_gadget/builds/libc-2.19-d6c3d9e55db8600672a2ef744f57aa84e6bea41a.rb +++ b/lib/one_gadget/builds/libc-2.19-d6c3d9e55db8600672a2ef744f57aa84e6bea41a.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255911, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 255918, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255927, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255963, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255967, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409024, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409028, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409034, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409038, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-d80f3b321f845a71f3c47d913dd3e65152565863.rb b/lib/one_gadget/builds/libc-2.19-d80f3b321f845a71f3c47d913dd3e65152565863.rb index 93d4db71..f0109a99 100644 --- a/lib/one_gadget/builds/libc-2.19-d80f3b321f845a71f3c47d913dd3e65152565863.rb +++ b/lib/one_gadget/builds/libc-2.19-d80f3b321f845a71f3c47d913dd3e65152565863.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255911, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 255918, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255927, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255963, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255967, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409024, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409028, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409034, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409038, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-d8adddcd7476a6b09bdf02fe1e1d73bd393b6ed7.rb b/lib/one_gadget/builds/libc-2.19-d8adddcd7476a6b09bdf02fe1e1d73bd393b6ed7.rb index 328e1694..3fbc87d2 100644 --- a/lib/one_gadget/builds/libc-2.19-d8adddcd7476a6b09bdf02fe1e1d73bd393b6ed7.rb +++ b/lib/one_gadget/builds/libc-2.19-d8adddcd7476a6b09bdf02fe1e1d73bd393b6ed7.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266985, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266992, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267076, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765005, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765084, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 880199, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880211, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895520, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-d9a10b8ef90300628dd0a3a535106967714d7328.rb b/lib/one_gadget/builds/libc-2.19-d9a10b8ef90300628dd0a3a535106967714d7328.rb index 87a251f7..7eb687b9 100644 --- a/lib/one_gadget/builds/libc-2.19-d9a10b8ef90300628dd0a3a535106967714d7328.rb +++ b/lib/one_gadget/builds/libc-2.19-d9a10b8ef90300628dd0a3a535106967714d7328.rb @@ -20,28 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 287777, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287784, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 287868, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 809715, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 809794, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 951832, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rbp-0xf0]] == NULL || [rbp-0xf0] == NULL || [rbp-0xf0] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rbp-0xf0])") OneGadget::Gadget.add(build_id, 955413, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 955425, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 959341, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.19-db3fac1541a95bdab2d9ae20bdef3c2f1c13b7e0.rb b/lib/one_gadget/builds/libc-2.19-db3fac1541a95bdab2d9ae20bdef3c2f1c13b7e0.rb index 3c3bdf85..627fa4e9 100644 --- a/lib/one_gadget/builds/libc-2.19-db3fac1541a95bdab2d9ae20bdef3c2f1c13b7e0.rb +++ b/lib/one_gadget/builds/libc-2.19-db3fac1541a95bdab2d9ae20bdef3c2f1c13b7e0.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254615, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412743, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412747, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412753, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412757, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-dd1b1c22eae3c8f0faa0b355bbcdca8f7c0cd91d.rb b/lib/one_gadget/builds/libc-2.19-dd1b1c22eae3c8f0faa0b355bbcdca8f7c0cd91d.rb index 8fe76a5c..0d5123fd 100644 --- a/lib/one_gadget/builds/libc-2.19-dd1b1c22eae3c8f0faa0b355bbcdca8f7c0cd91d.rb +++ b/lib/one_gadget/builds/libc-2.19-dd1b1c22eae3c8f0faa0b355bbcdca8f7c0cd91d.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 256039, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 256046, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 256055, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 256091, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 256095, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409184, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409188, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409194, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409198, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb b/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb index a3be3040..d49b1fc0 100644 --- a/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb +++ b/lib/one_gadget/builds/libc-2.19-df559a150829d9f3cdd0b5ce1e5b4d512d20f55f.rb @@ -22,22 +22,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255187, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255194, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255203, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255239, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255243, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 416847, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 416851, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 416857, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 416861, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e01fa6a6b4685ecaebc6756679c283c6572eb6f2.rb b/lib/one_gadget/builds/libc-2.19-e01fa6a6b4685ecaebc6756679c283c6572eb6f2.rb index a2dfb631..7bc5936a 100644 --- a/lib/one_gadget/builds/libc-2.19-e01fa6a6b4685ecaebc6756679c283c6572eb6f2.rb +++ b/lib/one_gadget/builds/libc-2.19-e01fa6a6b4685ecaebc6756679c283c6572eb6f2.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 454796, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 454818, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 454822, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 454826, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 610051, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 610055, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 610061, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 610065, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e10149c2a9bf0df3c9149b351168fcd32adb41c6.rb b/lib/one_gadget/builds/libc-2.19-e10149c2a9bf0df3c9149b351168fcd32adb41c6.rb index ec9b8253..15afa7eb 100644 --- a/lib/one_gadget/builds/libc-2.19-e10149c2a9bf0df3c9149b351168fcd32adb41c6.rb +++ b/lib/one_gadget/builds/libc-2.19-e10149c2a9bf0df3c9149b351168fcd32adb41c6.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262555, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbp, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262562, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 262646, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 701405, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 701484, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 823359, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 823371, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 838688, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-e13d310493f24ceb84f232c5f72469cbe516d57a.rb b/lib/one_gadget/builds/libc-2.19-e13d310493f24ceb84f232c5f72469cbe516d57a.rb index 793b2f8b..b11649c9 100644 --- a/lib/one_gadget/builds/libc-2.19-e13d310493f24ceb84f232c5f72469cbe516d57a.rb +++ b/lib/one_gadget/builds/libc-2.19-e13d310493f24ceb84f232c5f72469cbe516d57a.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412647, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412651, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412657, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412661, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e2773917e0ca89ebc16787d8cbc96400088583ec.rb b/lib/one_gadget/builds/libc-2.19-e2773917e0ca89ebc16787d8cbc96400088583ec.rb index 90bb84da..0b1f11b0 100644 --- a/lib/one_gadget/builds/libc-2.19-e2773917e0ca89ebc16787d8cbc96400088583ec.rb +++ b/lib/one_gadget/builds/libc-2.19-e2773917e0ca89ebc16787d8cbc96400088583ec.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249239, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249246, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249255, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249291, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249295, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409248, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409252, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409258, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409262, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e4c3a6a564aeddbafa8be691efffc79e755fa8a4.rb b/lib/one_gadget/builds/libc-2.19-e4c3a6a564aeddbafa8be691efffc79e755fa8a4.rb index d1aeac8f..8fe0d2db 100644 --- a/lib/one_gadget/builds/libc-2.19-e4c3a6a564aeddbafa8be691efffc79e755fa8a4.rb +++ b/lib/one_gadget/builds/libc-2.19-e4c3a6a564aeddbafa8be691efffc79e755fa8a4.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406400, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406404, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406410, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406414, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e53d50e134c10f91f8cf52b1778f85b7926147cc.rb b/lib/one_gadget/builds/libc-2.19-e53d50e134c10f91f8cf52b1778f85b7926147cc.rb index fccf947a..15c16ae6 100644 --- a/lib/one_gadget/builds/libc-2.19-e53d50e134c10f91f8cf52b1778f85b7926147cc.rb +++ b/lib/one_gadget/builds/libc-2.19-e53d50e134c10f91f8cf52b1778f85b7926147cc.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606707, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606711, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 606717, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 606721, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e540f810b37a33fab5b3116fdbf8bcaacc000c16.rb b/lib/one_gadget/builds/libc-2.19-e540f810b37a33fab5b3116fdbf8bcaacc000c16.rb index c9e5ccee..3b583108 100644 --- a/lib/one_gadget/builds/libc-2.19-e540f810b37a33fab5b3116fdbf8bcaacc000c16.rb +++ b/lib/one_gadget/builds/libc-2.19-e540f810b37a33fab5b3116fdbf8bcaacc000c16.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452924, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452946, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452950, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452954, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609395, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609399, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609405, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609409, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e5bd51e1eefbc5c3d96a3aba4dcb50a0cec162de.rb b/lib/one_gadget/builds/libc-2.19-e5bd51e1eefbc5c3d96a3aba4dcb50a0cec162de.rb index ca26f13f..eedd99ca 100644 --- a/lib/one_gadget/builds/libc-2.19-e5bd51e1eefbc5c3d96a3aba4dcb50a0cec162de.rb +++ b/lib/one_gadget/builds/libc-2.19-e5bd51e1eefbc5c3d96a3aba4dcb50a0cec162de.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255467, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255474, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255483, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255519, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255523, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 417007, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 417011, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 417017, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 417021, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e6ac06f6c982d98a419cec51de313ea609f2b1f2.rb b/lib/one_gadget/builds/libc-2.19-e6ac06f6c982d98a419cec51de313ea609f2b1f2.rb index 2c7f0316..6a6d85fa 100644 --- a/lib/one_gadget/builds/libc-2.19-e6ac06f6c982d98a419cec51de313ea609f2b1f2.rb +++ b/lib/one_gadget/builds/libc-2.19-e6ac06f6c982d98a419cec51de313ea609f2b1f2.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255223, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 255230, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255239, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255275, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255279, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415431, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415435, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415441, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415445, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e6e4c4588d098e16d0fba7e15ba9c81f294074a4.rb b/lib/one_gadget/builds/libc-2.19-e6e4c4588d098e16d0fba7e15ba9c81f294074a4.rb index 7cbf26b2..2b4972c2 100644 --- a/lib/one_gadget/builds/libc-2.19-e6e4c4588d098e16d0fba7e15ba9c81f294074a4.rb +++ b/lib/one_gadget/builds/libc-2.19-e6e4c4588d098e16d0fba7e15ba9c81f294074a4.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248167, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248174, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248183, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248219, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248223, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406672, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406676, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406682, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406686, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e70d0551a6ce8feb294de6c138135b58d8763e85.rb b/lib/one_gadget/builds/libc-2.19-e70d0551a6ce8feb294de6c138135b58d8763e85.rb index 0fe59930..1b9d7748 100644 --- a/lib/one_gadget/builds/libc-2.19-e70d0551a6ce8feb294de6c138135b58d8763e85.rb +++ b/lib/one_gadget/builds/libc-2.19-e70d0551a6ce8feb294de6c138135b58d8763e85.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267865, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267872, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267956, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754877, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754956, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870503, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870515, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885520, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-e806961cc6bc18acfd55df2613b100a9e733cebd.rb b/lib/one_gadget/builds/libc-2.19-e806961cc6bc18acfd55df2613b100a9e733cebd.rb index 45a2141e..6d5943ce 100644 --- a/lib/one_gadget/builds/libc-2.19-e806961cc6bc18acfd55df2613b100a9e733cebd.rb +++ b/lib/one_gadget/builds/libc-2.19-e806961cc6bc18acfd55df2613b100a9e733cebd.rb @@ -21,22 +21,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 242643, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 242645, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 242649, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 242656, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 242691, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 242692, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 412228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.19-e882a1c9195b6bc1a62b3aeda9b63733109abd2f.rb b/lib/one_gadget/builds/libc-2.19-e882a1c9195b6bc1a62b3aeda9b63733109abd2f.rb index 65df71bf..2edcb29d 100644 --- a/lib/one_gadget/builds/libc-2.19-e882a1c9195b6bc1a62b3aeda9b63733109abd2f.rb +++ b/lib/one_gadget/builds/libc-2.19-e882a1c9195b6bc1a62b3aeda9b63733109abd2f.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255911, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 255918, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255927, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 255963, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255967, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409056, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409060, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409066, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409070, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-e892e2e9d5818511e2390e642edd1d4cf2331885.rb b/lib/one_gadget/builds/libc-2.19-e892e2e9d5818511e2390e642edd1d4cf2331885.rb index 01abf6a1..e2122287 100644 --- a/lib/one_gadget/builds/libc-2.19-e892e2e9d5818511e2390e642edd1d4cf2331885.rb +++ b/lib/one_gadget/builds/libc-2.19-e892e2e9d5818511e2390e642edd1d4cf2331885.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 274841, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274848, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 274932, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755165, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755244, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870176, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 874775, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874787, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.19-e89b2153fd6795f03d6cd1dd789241326a7ee458.rb b/lib/one_gadget/builds/libc-2.19-e89b2153fd6795f03d6cd1dd789241326a7ee458.rb index 10c47984..7a34493e 100644 --- a/lib/one_gadget/builds/libc-2.19-e89b2153fd6795f03d6cd1dd789241326a7ee458.rb +++ b/lib/one_gadget/builds/libc-2.19-e89b2153fd6795f03d6cd1dd789241326a7ee458.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248567, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248574, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248583, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248619, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248623, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 408560, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 408564, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 408570, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 408574, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-ebc3c6d17edbddfdcb000366fae4e7cab6ba420c.rb b/lib/one_gadget/builds/libc-2.19-ebc3c6d17edbddfdcb000366fae4e7cab6ba420c.rb index 10ae3ece..e61d593a 100644 --- a/lib/one_gadget/builds/libc-2.19-ebc3c6d17edbddfdcb000366fae4e7cab6ba420c.rb +++ b/lib/one_gadget/builds/libc-2.19-ebc3c6d17edbddfdcb000366fae4e7cab6ba420c.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452924, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452946, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452950, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452954, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 606867, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 606871, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 606877, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 606881, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-ecc10e3f1443d65007126bef8184ac84bfdf6b7c.rb b/lib/one_gadget/builds/libc-2.19-ecc10e3f1443d65007126bef8184ac84bfdf6b7c.rb index 6f2cc156..44d51ad5 100644 --- a/lib/one_gadget/builds/libc-2.19-ecc10e3f1443d65007126bef8184ac84bfdf6b7c.rb +++ b/lib/one_gadget/builds/libc-2.19-ecc10e3f1443d65007126bef8184ac84bfdf6b7c.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 267849, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267856, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267940, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755037, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755116, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 870647, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 870659, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 885760, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-edc2302cd47e8eedfc2e45da9fddecbdb07b4f21.rb b/lib/one_gadget/builds/libc-2.19-edc2302cd47e8eedfc2e45da9fddecbdb07b4f21.rb index f36c2041..da6106fe 100644 --- a/lib/one_gadget/builds/libc-2.19-edc2302cd47e8eedfc2e45da9fddecbdb07b4f21.rb +++ b/lib/one_gadget/builds/libc-2.19-edc2302cd47e8eedfc2e45da9fddecbdb07b4f21.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414679, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414683, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414689, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414693, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-edd5ba629053d507cb963d5269db6e7ae5bde36e.rb b/lib/one_gadget/builds/libc-2.19-edd5ba629053d507cb963d5269db6e7ae5bde36e.rb index 134859dc..e05ede06 100644 --- a/lib/one_gadget/builds/libc-2.19-edd5ba629053d507cb963d5269db6e7ae5bde36e.rb +++ b/lib/one_gadget/builds/libc-2.19-edd5ba629053d507cb963d5269db6e7ae5bde36e.rb @@ -20,25 +20,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 266985, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 266992, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 267076, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765005, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 765084, - constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x48]] == NULL || [rbp-0x48] == NULL || [rbp-0x48] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x48], r12)") OneGadget::Gadget.add(build_id, 880871, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880883, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896192, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.19-f3a1e60201c31bb9fef972279d08dfc33dbb3ce9.rb b/lib/one_gadget/builds/libc-2.19-f3a1e60201c31bb9fef972279d08dfc33dbb3ce9.rb index 162bdd1e..68828d75 100644 --- a/lib/one_gadget/builds/libc-2.19-f3a1e60201c31bb9fef972279d08dfc33dbb3ce9.rb +++ b/lib/one_gadget/builds/libc-2.19-f3a1e60201c31bb9fef972279d08dfc33dbb3ce9.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412647, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412651, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412657, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412661, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-f5c375701c2c4406306201e19b42521f504175ec.rb b/lib/one_gadget/builds/libc-2.19-f5c375701c2c4406306201e19b42521f504175ec.rb index c90f7a05..518a37a7 100644 --- a/lib/one_gadget/builds/libc-2.19-f5c375701c2c4406306201e19b42521f504175ec.rb +++ b/lib/one_gadget/builds/libc-2.19-f5c375701c2c4406306201e19b42521f504175ec.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406400, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406404, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406410, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406414, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-f5e1349016d93661914069bcc7254e702434e445.rb b/lib/one_gadget/builds/libc-2.19-f5e1349016d93661914069bcc7254e702434e445.rb index fccaf6d2..b3d6e303 100644 --- a/lib/one_gadget/builds/libc-2.19-f5e1349016d93661914069bcc7254e702434e445.rb +++ b/lib/one_gadget/builds/libc-2.19-f5e1349016d93661914069bcc7254e702434e445.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248599, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 248606, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248615, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248651, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 248655, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406432, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406436, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406442, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406446, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-f6248141094bb965d660fd2ce31d8534593c1003.rb b/lib/one_gadget/builds/libc-2.19-f6248141094bb965d660fd2ce31d8534593c1003.rb index d7acd8ee..5456dd60 100644 --- a/lib/one_gadget/builds/libc-2.19-f6248141094bb965d660fd2ce31d8534593c1003.rb +++ b/lib/one_gadget/builds/libc-2.19-f6248141094bb965d660fd2ce31d8534593c1003.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254311, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254318, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254327, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254363, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254367, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414551, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414555, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414561, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414565, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-f6ba6844f5bba0603e13b577328b9f326d4fef8a.rb b/lib/one_gadget/builds/libc-2.19-f6ba6844f5bba0603e13b577328b9f326d4fef8a.rb index 38d2c69d..92d8815b 100644 --- a/lib/one_gadget/builds/libc-2.19-f6ba6844f5bba0603e13b577328b9f326d4fef8a.rb +++ b/lib/one_gadget/builds/libc-2.19-f6ba6844f5bba0603e13b577328b9f326d4fef8a.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 461228, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 461250, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 461254, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 461258, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609752, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609756, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609762, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609766, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-f8cc1a32de8229e21b61215844be0462c6ac49a6.rb b/lib/one_gadget/builds/libc-2.19-f8cc1a32de8229e21b61215844be0462c6ac49a6.rb index f8b2f296..b809cb37 100644 --- a/lib/one_gadget/builds/libc-2.19-f8cc1a32de8229e21b61215844be0462c6ac49a6.rb +++ b/lib/one_gadget/builds/libc-2.19-f8cc1a32de8229e21b61215844be0462c6ac49a6.rb @@ -19,21 +19,27 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 452940, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") +OneGadget::Gadget.add(build_id, 452962, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], + effect: "execve(\"/bin/sh\", esp+0x30, [esp+0x8])") OneGadget::Gadget.add(build_id, 452966, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 452970, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 609587, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 609591, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 609597, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 609601, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-f9b5531180de2f0ce620bc03b5fc4d7f8570fd18.rb b/lib/one_gadget/builds/libc-2.19-f9b5531180de2f0ce620bc03b5fc4d7f8570fd18.rb index dfd39315..7f147e62 100644 --- a/lib/one_gadget/builds/libc-2.19-f9b5531180de2f0ce620bc03b5fc4d7f8570fd18.rb +++ b/lib/one_gadget/builds/libc-2.19-f9b5531180de2f0ce620bc03b5fc4d7f8570fd18.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 262187, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 262194, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262203, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 262239, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 262243, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 414981, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 414985, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 414991, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 414995, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-fb899b514fa6763ad006688efb32ecf9ca691ff3.rb b/lib/one_gadget/builds/libc-2.19-fb899b514fa6763ad006688efb32ecf9ca691ff3.rb index 9bece8c4..caf5c87d 100644 --- a/lib/one_gadget/builds/libc-2.19-fb899b514fa6763ad006688efb32ecf9ca691ff3.rb +++ b/lib/one_gadget/builds/libc-2.19-fb899b514fa6763ad006688efb32ecf9ca691ff3.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249111, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249118, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249127, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249163, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249167, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409680, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409684, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409690, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409694, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.rb b/lib/one_gadget/builds/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.rb index e798e355..8287cc37 100644 --- a/lib/one_gadget/builds/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.rb +++ b/lib/one_gadget/builds/libc-2.19-fd51b20e670e9a9f60dc3b06dc9761fb08c9358b.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261399, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 261406, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261415, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 261451, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 261455, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412768, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412772, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412778, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412782, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-fd5df0d8007d692d1c00226f81ba04b4f734b5b2.rb b/lib/one_gadget/builds/libc-2.19-fd5df0d8007d692d1c00226f81ba04b4f734b5b2.rb index 8f1594e7..9f60b712 100644 --- a/lib/one_gadget/builds/libc-2.19-fd5df0d8007d692d1c00226f81ba04b4f734b5b2.rb +++ b/lib/one_gadget/builds/libc-2.19-fd5df0d8007d692d1c00226f81ba04b4f734b5b2.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254967, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254974, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254983, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255019, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 255023, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 415207, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 415211, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 415217, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 415221, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-fe493bf9ecadc1f26aa36d4a95c718e9f227ad3a.rb b/lib/one_gadget/builds/libc-2.19-fe493bf9ecadc1f26aa36d4a95c718e9f227ad3a.rb index 9536f460..527ff7cf 100644 --- a/lib/one_gadget/builds/libc-2.19-fe493bf9ecadc1f26aa36d4a95c718e9f227ad3a.rb +++ b/lib/one_gadget/builds/libc-2.19-fe493bf9ecadc1f26aa36d4a95c718e9f227ad3a.rb @@ -20,22 +20,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254471, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 254478, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254487, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 254523, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 254527, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 412647, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 412651, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 412657, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 412661, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.19-fe76e177d397e9bdccf270232cc7e3a06e84aeb1.rb b/lib/one_gadget/builds/libc-2.19-fe76e177d397e9bdccf270232cc7e3a06e84aeb1.rb index cb4103c1..88a87c77 100644 --- a/lib/one_gadget/builds/libc-2.19-fe76e177d397e9bdccf270232cc7e3a06e84aeb1.rb +++ b/lib/one_gadget/builds/libc-2.19-fe76e177d397e9bdccf270232cc7e3a06e84aeb1.rb @@ -19,22 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 249239, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") +OneGadget::Gadget.add(build_id, 249246, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249255, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249291, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 249295, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 409216, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 409220, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 409226, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 409230, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.20-024df4febc9c789a8eeb052385d5e780b98a379f.rb b/lib/one_gadget/builds/libc-2.20-024df4febc9c789a8eeb052385d5e780b98a379f.rb index d0ed4370..0fca0b94 100644 --- a/lib/one_gadget/builds/libc-2.20-024df4febc9c789a8eeb052385d5e780b98a379f.rb +++ b/lib/one_gadget/builds/libc-2.20-024df4febc9c789a8eeb052385d5e780b98a379f.rb @@ -22,22 +22,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 248462, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 248464, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 248468, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 248475, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 248510, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 248511, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 416308, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-074a896d13132ebfb22b89fd4d026b8608b84d01.rb b/lib/one_gadget/builds/libc-2.20-074a896d13132ebfb22b89fd4d026b8608b84d01.rb index 8e52fab5..cf7178fc 100644 --- a/lib/one_gadget/builds/libc-2.20-074a896d13132ebfb22b89fd4d026b8608b84d01.rb +++ b/lib/one_gadget/builds/libc-2.20-074a896d13132ebfb22b89fd4d026b8608b84d01.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261711, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261718, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261802, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754576, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754796, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 878539, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878551, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 893777, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.20-0a1de0cc524dacd5b00c678daf50dde4d4539203.rb b/lib/one_gadget/builds/libc-2.20-0a1de0cc524dacd5b00c678daf50dde4d4539203.rb index bfbd803b..c0ea994a 100644 --- a/lib/one_gadget/builds/libc-2.20-0a1de0cc524dacd5b00c678daf50dde4d4539203.rb +++ b/lib/one_gadget/builds/libc-2.20-0a1de0cc524dacd5b00c678daf50dde4d4539203.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241422, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241424, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241428, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241435, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241470, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241471, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 408836, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-22fcfb6d820fec1bd07ebc3506236a1c10d2a74e.rb b/lib/one_gadget/builds/libc-2.20-22fcfb6d820fec1bd07ebc3506236a1c10d2a74e.rb index e0e87d11..0266ccd9 100644 --- a/lib/one_gadget/builds/libc-2.20-22fcfb6d820fec1bd07ebc3506236a1c10d2a74e.rb +++ b/lib/one_gadget/builds/libc-2.20-22fcfb6d820fec1bd07ebc3506236a1c10d2a74e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241374, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241376, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241380, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241387, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241422, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241423, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 408788, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-317589ae8050581abdfc414151c4655abc3cdfcd.rb b/lib/one_gadget/builds/libc-2.20-317589ae8050581abdfc414151c4655abc3cdfcd.rb index fafe6147..40c6ef9c 100644 --- a/lib/one_gadget/builds/libc-2.20-317589ae8050581abdfc414151c4655abc3cdfcd.rb +++ b/lib/one_gadget/builds/libc-2.20-317589ae8050581abdfc414151c4655abc3cdfcd.rb @@ -22,22 +22,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 247414, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 247416, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 247420, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 247427, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 247462, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 247463, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 413860, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-370ce0ece788e8e73d938f2fb3ce6adb890eb417.rb b/lib/one_gadget/builds/libc-2.20-370ce0ece788e8e73d938f2fb3ce6adb890eb417.rb index c42938c0..c3cff6a7 100644 --- a/lib/one_gadget/builds/libc-2.20-370ce0ece788e8e73d938f2fb3ce6adb890eb417.rb +++ b/lib/one_gadget/builds/libc-2.20-370ce0ece788e8e73d938f2fb3ce6adb890eb417.rb @@ -22,22 +22,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 248462, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 248464, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 248468, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 248475, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 248510, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 248511, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 419764, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-389e645d86ab23c5f6acd039caacb18a02c3cfa2.rb b/lib/one_gadget/builds/libc-2.20-389e645d86ab23c5f6acd039caacb18a02c3cfa2.rb index a3ceaae0..0ffec1b9 100644 --- a/lib/one_gadget/builds/libc-2.20-389e645d86ab23c5f6acd039caacb18a02c3cfa2.rb +++ b/lib/one_gadget/builds/libc-2.20-389e645d86ab23c5f6acd039caacb18a02c3cfa2.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241374, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241376, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241380, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241387, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241422, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241423, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 408788, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb b/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb index 21eacd58..6fe9c756 100644 --- a/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb +++ b/lib/one_gadget/builds/libc-2.20-398115bd423958b1769317a6f7e4928df141eb57.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241374, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241376, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241380, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241387, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241422, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241423, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 409988, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-62fa1628ae33cc45efe8313a24ec8c475c9dffa6.rb b/lib/one_gadget/builds/libc-2.20-62fa1628ae33cc45efe8313a24ec8c475c9dffa6.rb index d67202c4..2bd7c9c0 100644 --- a/lib/one_gadget/builds/libc-2.20-62fa1628ae33cc45efe8313a24ec8c475c9dffa6.rb +++ b/lib/one_gadget/builds/libc-2.20-62fa1628ae33cc45efe8313a24ec8c475c9dffa6.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241381, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241383, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241387, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241394, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241429, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241430, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 410628, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-6daaba13e3623d964ca116f91948afc5231732a8.rb b/lib/one_gadget/builds/libc-2.20-6daaba13e3623d964ca116f91948afc5231732a8.rb index 179d7ec9..6e43f5f9 100644 --- a/lib/one_gadget/builds/libc-2.20-6daaba13e3623d964ca116f91948afc5231732a8.rb +++ b/lib/one_gadget/builds/libc-2.20-6daaba13e3623d964ca116f91948afc5231732a8.rb @@ -22,22 +22,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 247414, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 247416, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 247420, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 247427, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 247462, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 247463, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 417140, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-765f172661014a4db8bb05b203bbc07c8686aa25.rb b/lib/one_gadget/builds/libc-2.20-765f172661014a4db8bb05b203bbc07c8686aa25.rb index f96493fe..745af6ca 100644 --- a/lib/one_gadget/builds/libc-2.20-765f172661014a4db8bb05b203bbc07c8686aa25.rb +++ b/lib/one_gadget/builds/libc-2.20-765f172661014a4db8bb05b203bbc07c8686aa25.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261446, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261453, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261537, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754928, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755148, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 878860, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878872, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894049, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.20-8bb8c78658cc612de895ec59a8026a08c86662e5.rb b/lib/one_gadget/builds/libc-2.20-8bb8c78658cc612de895ec59a8026a08c86662e5.rb index 6c9a8245..6830fa70 100644 --- a/lib/one_gadget/builds/libc-2.20-8bb8c78658cc612de895ec59a8026a08c86662e5.rb +++ b/lib/one_gadget/builds/libc-2.20-8bb8c78658cc612de895ec59a8026a08c86662e5.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241422, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241424, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241428, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241435, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241470, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241471, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 410036, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-a8e57776dcdd5da9b7c9f60e65d28eaeb5b8173f.rb b/lib/one_gadget/builds/libc-2.20-a8e57776dcdd5da9b7c9f60e65d28eaeb5b8173f.rb index fe1556f6..9a2d3601 100644 --- a/lib/one_gadget/builds/libc-2.20-a8e57776dcdd5da9b7c9f60e65d28eaeb5b8173f.rb +++ b/lib/one_gadget/builds/libc-2.20-a8e57776dcdd5da9b7c9f60e65d28eaeb5b8173f.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241333, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241335, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241339, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241346, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241381, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241382, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 410580, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-ad272c3f76f36f4fe1357514d4b207a06f7f536c.rb b/lib/one_gadget/builds/libc-2.20-ad272c3f76f36f4fe1357514d4b207a06f7f536c.rb index 35bef839..46156f54 100644 --- a/lib/one_gadget/builds/libc-2.20-ad272c3f76f36f4fe1357514d4b207a06f7f536c.rb +++ b/lib/one_gadget/builds/libc-2.20-ad272c3f76f36f4fe1357514d4b207a06f7f536c.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241333, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241335, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241339, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241346, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241381, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241382, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 410580, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-aefe2d045393dbe3e0a2acef88b6f31a78d3a27c.rb b/lib/one_gadget/builds/libc-2.20-aefe2d045393dbe3e0a2acef88b6f31a78d3a27c.rb index 7428ec70..a5577919 100644 --- a/lib/one_gadget/builds/libc-2.20-aefe2d045393dbe3e0a2acef88b6f31a78d3a27c.rb +++ b/lib/one_gadget/builds/libc-2.20-aefe2d045393dbe3e0a2acef88b6f31a78d3a27c.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241381, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241383, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241387, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241394, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241429, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241430, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 410628, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.20-b1217615db4b7a86b90436982610bf86a03ca881.rb b/lib/one_gadget/builds/libc-2.20-b1217615db4b7a86b90436982610bf86a03ca881.rb index 8b6b54fc..d546f362 100644 --- a/lib/one_gadget/builds/libc-2.20-b1217615db4b7a86b90436982610bf86a03ca881.rb +++ b/lib/one_gadget/builds/libc-2.20-b1217615db4b7a86b90436982610bf86a03ca881.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261446, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261453, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261537, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754960, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755180, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 878892, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878904, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894081, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb b/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb index 1a2a541a..038026e8 100644 --- a/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb +++ b/lib/one_gadget/builds/libc-2.20-f3063b7115d5a383189937852ce356f4c60fd190.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261711, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261718, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261802, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755456, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755676, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879419, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879431, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894657, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.20-f53b8ad377a1988dcf6329bbdfa7b1201431656e.rb b/lib/one_gadget/builds/libc-2.20-f53b8ad377a1988dcf6329bbdfa7b1201431656e.rb index 3ee26021..57d0053e 100644 --- a/lib/one_gadget/builds/libc-2.20-f53b8ad377a1988dcf6329bbdfa7b1201431656e.rb +++ b/lib/one_gadget/builds/libc-2.20-f53b8ad377a1988dcf6329bbdfa7b1201431656e.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 261711, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261718, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 261802, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754576, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754796, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 878539, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878551, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 893777, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-04f18629ef42b062ed0c8f60d5bfaa40a7d28ef7.rb b/lib/one_gadget/builds/libc-2.21-04f18629ef42b062ed0c8f60d5bfaa40a7d28ef7.rb index b9200e77..731d2e5c 100644 --- a/lib/one_gadget/builds/libc-2.21-04f18629ef42b062ed0c8f60d5bfaa40a7d28ef7.rb +++ b/lib/one_gadget/builds/libc-2.21-04f18629ef42b062ed0c8f60d5bfaa40a7d28ef7.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240831, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240833, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240837, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240844, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240879, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240880, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 402660, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-092fa8483d177952f4b38a4b9be8305baef60466.rb b/lib/one_gadget/builds/libc-2.21-092fa8483d177952f4b38a4b9be8305baef60466.rb index 742cd349..db5e6f1c 100644 --- a/lib/one_gadget/builds/libc-2.21-092fa8483d177952f4b38a4b9be8305baef60466.rb +++ b/lib/one_gadget/builds/libc-2.21-092fa8483d177952f4b38a4b9be8305baef60466.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240534, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240536, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240540, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240547, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240582, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240583, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400324, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-096d4c9ce21618defe0b3e4694dc5380e0189009.rb b/lib/one_gadget/builds/libc-2.21-096d4c9ce21618defe0b3e4694dc5380e0189009.rb index 9920cc9f..c2b8bea8 100644 --- a/lib/one_gadget/builds/libc-2.21-096d4c9ce21618defe0b3e4694dc5380e0189009.rb +++ b/lib/one_gadget/builds/libc-2.21-096d4c9ce21618defe0b3e4694dc5380e0189009.rb @@ -21,22 +21,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 245465, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 245472, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 245481, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 245517, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 245521, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 405823, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 405827, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 405833, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 405837, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.21-13495a0bf9fc076d41056041922792ddb58ac456.rb b/lib/one_gadget/builds/libc-2.21-13495a0bf9fc076d41056041922792ddb58ac456.rb index 2e0d008e..ae8e3cab 100644 --- a/lib/one_gadget/builds/libc-2.21-13495a0bf9fc076d41056041922792ddb58ac456.rb +++ b/lib/one_gadget/builds/libc-2.21-13495a0bf9fc076d41056041922792ddb58ac456.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241030, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241032, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241036, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241043, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241078, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241079, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400820, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-169a143e9c40cfd9d09695333e45fd67743cd2d6.rb b/lib/one_gadget/builds/libc-2.21-169a143e9c40cfd9d09695333e45fd67743cd2d6.rb index 799791a1..f9900dd1 100644 --- a/lib/one_gadget/builds/libc-2.21-169a143e9c40cfd9d09695333e45fd67743cd2d6.rb +++ b/lib/one_gadget/builds/libc-2.21-169a143e9c40cfd9d09695333e45fd67743cd2d6.rb @@ -19,14 +19,23 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 252888, + constraints: ["writable: x19+0x2a0", "{\"sh\", \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 252896, + constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x9d8 == NULL || {x4+0x9d8, \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 252900, - constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x9d8 == NULL"], + constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x9d8 == NULL || {x4+0x9d8, x3+0x9e0, x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 252904, + constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL || {x4, x3+0x9e0, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 252908, - constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL"], + constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 252976, - constraints: ["writable: x20+0x4", "[sp+0x58] == NULL"], + constraints: ["writable: x20+0x4", "[sp+0x58] == NULL || {[sp+0x58], [sp+0x60], [sp+0x68], [sp+0x70], ...} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 408244, constraints: ["x2+0x9e0 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-1800fb8ed39680604091e8268cd21cb8ee6f747f.rb b/lib/one_gadget/builds/libc-2.21-1800fb8ed39680604091e8268cd21cb8ee6f747f.rb index b010f1af..9c3b56be 100644 --- a/lib/one_gadget/builds/libc-2.21-1800fb8ed39680604091e8268cd21cb8ee6f747f.rb +++ b/lib/one_gadget/builds/libc-2.21-1800fb8ed39680604091e8268cd21cb8ee6f747f.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-185ab573783653be4ea1784a59be3a1499ca64c7.rb b/lib/one_gadget/builds/libc-2.21-185ab573783653be4ea1784a59be3a1499ca64c7.rb index 845da52e..27f1c637 100644 --- a/lib/one_gadget/builds/libc-2.21-185ab573783653be4ea1784a59be3a1499ca64c7.rb +++ b/lib/one_gadget/builds/libc-2.21-185ab573783653be4ea1784a59be3a1499ca64c7.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240534, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240536, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240540, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240547, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240582, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240583, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400324, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-1a266f551f39283eff85f4ab8913d8b6d57fb290.rb b/lib/one_gadget/builds/libc-2.21-1a266f551f39283eff85f4ab8913d8b6d57fb290.rb index 667c4f35..01443934 100644 --- a/lib/one_gadget/builds/libc-2.21-1a266f551f39283eff85f4ab8913d8b6d57fb290.rb +++ b/lib/one_gadget/builds/libc-2.21-1a266f551f39283eff85f4ab8913d8b6d57fb290.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234245, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234247, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234251, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234258, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234293, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234294, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393791, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-1dfdbdb3ed58b70e07e1a94ff3e95d84652cb0f1.rb b/lib/one_gadget/builds/libc-2.21-1dfdbdb3ed58b70e07e1a94ff3e95d84652cb0f1.rb index f7a38d1c..7b77a71f 100644 --- a/lib/one_gadget/builds/libc-2.21-1dfdbdb3ed58b70e07e1a94ff3e95d84652cb0f1.rb +++ b/lib/one_gadget/builds/libc-2.21-1dfdbdb3ed58b70e07e1a94ff3e95d84652cb0f1.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260175, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260182, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260266, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757536, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757756, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879645, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879657, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894929, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-1ee253f6aeaec7a001984e257b86ad7224e46469.rb b/lib/one_gadget/builds/libc-2.21-1ee253f6aeaec7a001984e257b86ad7224e46469.rb index a8ddb0c4..6a9cb558 100644 --- a/lib/one_gadget/builds/libc-2.21-1ee253f6aeaec7a001984e257b86ad7224e46469.rb +++ b/lib/one_gadget/builds/libc-2.21-1ee253f6aeaec7a001984e257b86ad7224e46469.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259791, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259798, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259882, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 758032, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 758252, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 880141, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880153, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895425, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-20b088455f100a9a72e94a69e843b6e0831cbedb.rb b/lib/one_gadget/builds/libc-2.21-20b088455f100a9a72e94a69e843b6e0831cbedb.rb index 1789f009..a4712632 100644 --- a/lib/one_gadget/builds/libc-2.21-20b088455f100a9a72e94a69e843b6e0831cbedb.rb +++ b/lib/one_gadget/builds/libc-2.21-20b088455f100a9a72e94a69e843b6e0831cbedb.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260127, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260134, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260218, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757472, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757692, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879581, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879593, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894865, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-2466292818ad2b41c64ea7107123fe96010e1b96.rb b/lib/one_gadget/builds/libc-2.21-2466292818ad2b41c64ea7107123fe96010e1b96.rb index 65dcce40..5f00ecb4 100644 --- a/lib/one_gadget/builds/libc-2.21-2466292818ad2b41c64ea7107123fe96010e1b96.rb +++ b/lib/one_gadget/builds/libc-2.21-2466292818ad2b41c64ea7107123fe96010e1b96.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-24c3f01054f36f8184ba673743310b5178354334.rb b/lib/one_gadget/builds/libc-2.21-24c3f01054f36f8184ba673743310b5178354334.rb index bed47b27..5b0aeb8b 100644 --- a/lib/one_gadget/builds/libc-2.21-24c3f01054f36f8184ba673743310b5178354334.rb +++ b/lib/one_gadget/builds/libc-2.21-24c3f01054f36f8184ba673743310b5178354334.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240614, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240616, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240620, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240627, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240662, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240663, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401556, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-25dd428fb4c350c16dfee20491f1a06484a2bfa3.rb b/lib/one_gadget/builds/libc-2.21-25dd428fb4c350c16dfee20491f1a06484a2bfa3.rb index 81faad2b..a00d0c1d 100644 --- a/lib/one_gadget/builds/libc-2.21-25dd428fb4c350c16dfee20491f1a06484a2bfa3.rb +++ b/lib/one_gadget/builds/libc-2.21-25dd428fb4c350c16dfee20491f1a06484a2bfa3.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241710, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241712, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241716, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241723, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241758, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241759, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 403588, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-2c092eb4091e8d3a20313a09194418595efca9db.rb b/lib/one_gadget/builds/libc-2.21-2c092eb4091e8d3a20313a09194418595efca9db.rb index f298525e..0b9ea8fc 100644 --- a/lib/one_gadget/builds/libc-2.21-2c092eb4091e8d3a20313a09194418595efca9db.rb +++ b/lib/one_gadget/builds/libc-2.21-2c092eb4091e8d3a20313a09194418595efca9db.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240502, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240504, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240508, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240550, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240551, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400292, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-2e9718e58257bda1dc0d751665a3ee233bf606f2.rb b/lib/one_gadget/builds/libc-2.21-2e9718e58257bda1dc0d751665a3ee233bf606f2.rb index e4ecf7f1..ce76f2ad 100644 --- a/lib/one_gadget/builds/libc-2.21-2e9718e58257bda1dc0d751665a3ee233bf606f2.rb +++ b/lib/one_gadget/builds/libc-2.21-2e9718e58257bda1dc0d751665a3ee233bf606f2.rb @@ -19,14 +19,23 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 252888, + constraints: ["writable: x19+0x2a0", "{\"sh\", \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 252896, + constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x5d8 == NULL || {x4+0x5d8, \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 252900, - constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x5d8 == NULL"], + constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4+0x5d8 == NULL || {x4+0x5d8, x3+0x5e0, x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 252904, + constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL || {x4, x3+0x5e0, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 252908, - constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL"], + constraints: ["writable: x19+0x2a0", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 252976, - constraints: ["writable: x20+0x4", "[sp+0x58] == NULL"], + constraints: ["writable: x20+0x4", "[sp+0x58] == NULL || {[sp+0x58], [sp+0x60], [sp+0x68], [sp+0x70], ...} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 408388, constraints: ["x2+0x5e0 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-3141017330a2057c655dcb61bd3d9b2c98399181.rb b/lib/one_gadget/builds/libc-2.21-3141017330a2057c655dcb61bd3d9b2c98399181.rb index f2533e9a..06712328 100644 --- a/lib/one_gadget/builds/libc-2.21-3141017330a2057c655dcb61bd3d9b2c98399181.rb +++ b/lib/one_gadget/builds/libc-2.21-3141017330a2057c655dcb61bd3d9b2c98399181.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240614, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240616, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240620, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240627, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240662, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240663, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401556, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-39f1a0bc7f66ea42f3341c0d629bae8caef2346d.rb b/lib/one_gadget/builds/libc-2.21-39f1a0bc7f66ea42f3341c0d629bae8caef2346d.rb index 7a742a35..72791c5a 100644 --- a/lib/one_gadget/builds/libc-2.21-39f1a0bc7f66ea42f3341c0d629bae8caef2346d.rb +++ b/lib/one_gadget/builds/libc-2.21-39f1a0bc7f66ea42f3341c0d629bae8caef2346d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233925, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233927, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233931, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233938, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233973, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233974, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 394991, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-3af67b618c87a9cfadcf4be33331e34f77f5c842.rb b/lib/one_gadget/builds/libc-2.21-3af67b618c87a9cfadcf4be33331e34f77f5c842.rb index 701c60a5..80292100 100644 --- a/lib/one_gadget/builds/libc-2.21-3af67b618c87a9cfadcf4be33331e34f77f5c842.rb +++ b/lib/one_gadget/builds/libc-2.21-3af67b618c87a9cfadcf4be33331e34f77f5c842.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-3b9bef61c919475929cfcc3608bdadb86c3b1c6e.rb b/lib/one_gadget/builds/libc-2.21-3b9bef61c919475929cfcc3608bdadb86c3b1c6e.rb index 2f467170..2737e259 100644 --- a/lib/one_gadget/builds/libc-2.21-3b9bef61c919475929cfcc3608bdadb86c3b1c6e.rb +++ b/lib/one_gadget/builds/libc-2.21-3b9bef61c919475929cfcc3608bdadb86c3b1c6e.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260127, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260134, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260218, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757472, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757692, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879581, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879593, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894865, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-3c9e3250b31dfe4b5e139cda266e7beabc47e504.rb b/lib/one_gadget/builds/libc-2.21-3c9e3250b31dfe4b5e139cda266e7beabc47e504.rb index d23f4505..8093552b 100644 --- a/lib/one_gadget/builds/libc-2.21-3c9e3250b31dfe4b5e139cda266e7beabc47e504.rb +++ b/lib/one_gadget/builds/libc-2.21-3c9e3250b31dfe4b5e139cda266e7beabc47e504.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260175, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260182, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260266, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 758320, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 758540, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 880429, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880441, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895713, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-3eab56f86f3ee1745baa9e6fa771e652340487cc.rb b/lib/one_gadget/builds/libc-2.21-3eab56f86f3ee1745baa9e6fa771e652340487cc.rb index a6b8975d..0474d555 100644 --- a/lib/one_gadget/builds/libc-2.21-3eab56f86f3ee1745baa9e6fa771e652340487cc.rb +++ b/lib/one_gadget/builds/libc-2.21-3eab56f86f3ee1745baa9e6fa771e652340487cc.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240470, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240472, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240476, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240483, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240518, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240519, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400260, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-3f08a19432b31835c71ea7d5b3687562cef053e3.rb b/lib/one_gadget/builds/libc-2.21-3f08a19432b31835c71ea7d5b3687562cef053e3.rb index 87764438..fc40b023 100644 --- a/lib/one_gadget/builds/libc-2.21-3f08a19432b31835c71ea7d5b3687562cef053e3.rb +++ b/lib/one_gadget/builds/libc-2.21-3f08a19432b31835c71ea7d5b3687562cef053e3.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260175, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260182, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260266, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757552, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757772, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879661, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879673, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894945, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-3faf7b9bab86ba7024b62d99c859136333b8a70d.rb b/lib/one_gadget/builds/libc-2.21-3faf7b9bab86ba7024b62d99c859136333b8a70d.rb index 7d0066e7..be485cc8 100644 --- a/lib/one_gadget/builds/libc-2.21-3faf7b9bab86ba7024b62d99c859136333b8a70d.rb +++ b/lib/one_gadget/builds/libc-2.21-3faf7b9bab86ba7024b62d99c859136333b8a70d.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436370, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436389, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436391, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436395, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436396, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 597056, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-3fc95a6cdd31b66c550d64d90d0431f68ed43571.rb b/lib/one_gadget/builds/libc-2.21-3fc95a6cdd31b66c550d64d90d0431f68ed43571.rb index ce2d5489..cd0b8ca5 100644 --- a/lib/one_gadget/builds/libc-2.21-3fc95a6cdd31b66c550d64d90d0431f68ed43571.rb +++ b/lib/one_gadget/builds/libc-2.21-3fc95a6cdd31b66c550d64d90d0431f68ed43571.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260079, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260086, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260170, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757616, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757836, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879709, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879721, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894993, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-41530fe252a0d5854827649ddf6e2c8fba9d1653.rb b/lib/one_gadget/builds/libc-2.21-41530fe252a0d5854827649ddf6e2c8fba9d1653.rb index 2fd6582a..2a2b3d78 100644 --- a/lib/one_gadget/builds/libc-2.21-41530fe252a0d5854827649ddf6e2c8fba9d1653.rb +++ b/lib/one_gadget/builds/libc-2.21-41530fe252a0d5854827649ddf6e2c8fba9d1653.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-4a0864552f6b027689c7a69efa12e277009c5999.rb b/lib/one_gadget/builds/libc-2.21-4a0864552f6b027689c7a69efa12e277009c5999.rb index 74d58a43..76f1f4f5 100644 --- a/lib/one_gadget/builds/libc-2.21-4a0864552f6b027689c7a69efa12e277009c5999.rb +++ b/lib/one_gadget/builds/libc-2.21-4a0864552f6b027689c7a69efa12e277009c5999.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240566, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240568, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240572, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240579, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240614, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240615, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400356, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-4b7de972132a4762898ccb1210ffb7cfc0e6f14e.rb b/lib/one_gadget/builds/libc-2.21-4b7de972132a4762898ccb1210ffb7cfc0e6f14e.rb index bd3b33c3..c1af13ad 100644 --- a/lib/one_gadget/builds/libc-2.21-4b7de972132a4762898ccb1210ffb7cfc0e6f14e.rb +++ b/lib/one_gadget/builds/libc-2.21-4b7de972132a4762898ccb1210ffb7cfc0e6f14e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240702, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240704, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240708, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240715, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240750, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240751, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 402036, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-4ce84d266a07230287b230ac4ce8ba2d2f3f854e.rb b/lib/one_gadget/builds/libc-2.21-4ce84d266a07230287b230ac4ce8ba2d2f3f854e.rb index d475e8c7..4ee97417 100644 --- a/lib/one_gadget/builds/libc-2.21-4ce84d266a07230287b230ac4ce8ba2d2f3f854e.rb +++ b/lib/one_gadget/builds/libc-2.21-4ce84d266a07230287b230ac4ce8ba2d2f3f854e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233861, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233863, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233867, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233874, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233909, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233910, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 394927, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-4dec520cda38e785c80e30db8fcd5428cee0f324.rb b/lib/one_gadget/builds/libc-2.21-4dec520cda38e785c80e30db8fcd5428cee0f324.rb index e866bc98..c4a23897 100644 --- a/lib/one_gadget/builds/libc-2.21-4dec520cda38e785c80e30db8fcd5428cee0f324.rb +++ b/lib/one_gadget/builds/libc-2.21-4dec520cda38e785c80e30db8fcd5428cee0f324.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436306, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436325, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436327, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436331, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436332, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596272, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-4f14eb66c408453973042c95d25f4e014bf4e364.rb b/lib/one_gadget/builds/libc-2.21-4f14eb66c408453973042c95d25f4e014bf4e364.rb index e76b4151..3adbfa2e 100644 --- a/lib/one_gadget/builds/libc-2.21-4f14eb66c408453973042c95d25f4e014bf4e364.rb +++ b/lib/one_gadget/builds/libc-2.21-4f14eb66c408453973042c95d25f4e014bf4e364.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255778, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255785, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255869, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 708656, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 708876, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 837619, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 837631, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 852625, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-503c5dd98cc9529359e601c1595c995cf359df30.rb b/lib/one_gadget/builds/libc-2.21-503c5dd98cc9529359e601c1595c995cf359df30.rb index 932daefe..baab00e2 100644 --- a/lib/one_gadget/builds/libc-2.21-503c5dd98cc9529359e601c1595c995cf359df30.rb +++ b/lib/one_gadget/builds/libc-2.21-503c5dd98cc9529359e601c1595c995cf359df30.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234245, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234247, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234251, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234258, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234293, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234294, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393791, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-505a88bc8f93a7ba339895ce27dc4ad8331cad7d.rb b/lib/one_gadget/builds/libc-2.21-505a88bc8f93a7ba339895ce27dc4ad8331cad7d.rb index 8947b5cd..dac25ede 100644 --- a/lib/one_gadget/builds/libc-2.21-505a88bc8f93a7ba339895ce27dc4ad8331cad7d.rb +++ b/lib/one_gadget/builds/libc-2.21-505a88bc8f93a7ba339895ce27dc4ad8331cad7d.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260143, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260150, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260234, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757520, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757740, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879629, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879641, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894913, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-53377f31675a81af793df0c63b40e193a4a6999b.rb b/lib/one_gadget/builds/libc-2.21-53377f31675a81af793df0c63b40e193a4a6999b.rb index db225436..351b9e1e 100644 --- a/lib/one_gadget/builds/libc-2.21-53377f31675a81af793df0c63b40e193a4a6999b.rb +++ b/lib/one_gadget/builds/libc-2.21-53377f31675a81af793df0c63b40e193a4a6999b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240614, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240616, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240620, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240627, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240662, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240663, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400404, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-53b6f3047638b0703bf1091fe4c3afe79445d546.rb b/lib/one_gadget/builds/libc-2.21-53b6f3047638b0703bf1091fe4c3afe79445d546.rb index 9529961a..f6a495c2 100644 --- a/lib/one_gadget/builds/libc-2.21-53b6f3047638b0703bf1091fe4c3afe79445d546.rb +++ b/lib/one_gadget/builds/libc-2.21-53b6f3047638b0703bf1091fe4c3afe79445d546.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260111, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260118, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260202, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757488, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757708, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879597, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879609, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894881, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-570c7051e379d909016cb81933bc5701daecd428.rb b/lib/one_gadget/builds/libc-2.21-570c7051e379d909016cb81933bc5701daecd428.rb index 421cfc21..c4d389e1 100644 --- a/lib/one_gadget/builds/libc-2.21-570c7051e379d909016cb81933bc5701daecd428.rb +++ b/lib/one_gadget/builds/libc-2.21-570c7051e379d909016cb81933bc5701daecd428.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240470, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240472, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240476, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240483, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240518, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240519, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400260, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-591e5a56f9d466a7c70baf6684d99843ab8c45d1.rb b/lib/one_gadget/builds/libc-2.21-591e5a56f9d466a7c70baf6684d99843ab8c45d1.rb index ab4353ff..c31ab7e3 100644 --- a/lib/one_gadget/builds/libc-2.21-591e5a56f9d466a7c70baf6684d99843ab8c45d1.rb +++ b/lib/one_gadget/builds/libc-2.21-591e5a56f9d466a7c70baf6684d99843ab8c45d1.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234181, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234183, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234187, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234194, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234229, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234230, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393727, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-59b7200857a55acdfa5de730a573eed0cfec0962.rb b/lib/one_gadget/builds/libc-2.21-59b7200857a55acdfa5de730a573eed0cfec0962.rb index d8c99b2a..e48c236c 100644 --- a/lib/one_gadget/builds/libc-2.21-59b7200857a55acdfa5de730a573eed0cfec0962.rb +++ b/lib/one_gadget/builds/libc-2.21-59b7200857a55acdfa5de730a573eed0cfec0962.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241030, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241032, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241036, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241043, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241078, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241079, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400820, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-59c981c8e0e729ae7c562daa00be2cdb8e0c090a.rb b/lib/one_gadget/builds/libc-2.21-59c981c8e0e729ae7c562daa00be2cdb8e0c090a.rb index ab6a6d18..104ae759 100644 --- a/lib/one_gadget/builds/libc-2.21-59c981c8e0e729ae7c562daa00be2cdb8e0c090a.rb +++ b/lib/one_gadget/builds/libc-2.21-59c981c8e0e729ae7c562daa00be2cdb8e0c090a.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260127, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260134, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260218, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757472, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757692, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879581, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879593, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894865, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-59eae8a903584dcbc14cf07c719cd23b9f65e230.rb b/lib/one_gadget/builds/libc-2.21-59eae8a903584dcbc14cf07c719cd23b9f65e230.rb index 6af6c62d..86505150 100644 --- a/lib/one_gadget/builds/libc-2.21-59eae8a903584dcbc14cf07c719cd23b9f65e230.rb +++ b/lib/one_gadget/builds/libc-2.21-59eae8a903584dcbc14cf07c719cd23b9f65e230.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 279119, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279126, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279210, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 833888, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 834112, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 985072, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 985084, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 988861, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1009920, - constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.21-5a22b7ec63fd7c5dc6a92875046515f4beac727d.rb b/lib/one_gadget/builds/libc-2.21-5a22b7ec63fd7c5dc6a92875046515f4beac727d.rb index c8d0816c..9c24de46 100644 --- a/lib/one_gadget/builds/libc-2.21-5a22b7ec63fd7c5dc6a92875046515f4beac727d.rb +++ b/lib/one_gadget/builds/libc-2.21-5a22b7ec63fd7c5dc6a92875046515f4beac727d.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436370, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436389, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436391, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436395, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436396, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 597056, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-5c9f149296e581c181529723f7eb44bf10a7d746.rb b/lib/one_gadget/builds/libc-2.21-5c9f149296e581c181529723f7eb44bf10a7d746.rb index 2b1f0ddc..4697af2f 100644 --- a/lib/one_gadget/builds/libc-2.21-5c9f149296e581c181529723f7eb44bf10a7d746.rb +++ b/lib/one_gadget/builds/libc-2.21-5c9f149296e581c181529723f7eb44bf10a7d746.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260239, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260246, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260330, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757584, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757804, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879677, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879689, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894961, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-5ccd94c4e3483df05be240ff1fb8a3f53794cc6f.rb b/lib/one_gadget/builds/libc-2.21-5ccd94c4e3483df05be240ff1fb8a3f53794cc6f.rb index 596aa10b..91a83c82 100644 --- a/lib/one_gadget/builds/libc-2.21-5ccd94c4e3483df05be240ff1fb8a3f53794cc6f.rb +++ b/lib/one_gadget/builds/libc-2.21-5ccd94c4e3483df05be240ff1fb8a3f53794cc6f.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 279039, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279046, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279130, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 834544, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 834768, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 985728, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 985740, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 989517, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1010576, - constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.21-5f977df2af6a6a25e48e60dd867680d79dc6da8e.rb b/lib/one_gadget/builds/libc-2.21-5f977df2af6a6a25e48e60dd867680d79dc6da8e.rb index 04a0f615..33f64db3 100644 --- a/lib/one_gadget/builds/libc-2.21-5f977df2af6a6a25e48e60dd867680d79dc6da8e.rb +++ b/lib/one_gadget/builds/libc-2.21-5f977df2af6a6a25e48e60dd867680d79dc6da8e.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260079, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260086, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260170, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757456, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757676, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879565, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879577, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894849, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-60e1d8111d5fec5580da9105670e78a63287732e.rb b/lib/one_gadget/builds/libc-2.21-60e1d8111d5fec5580da9105670e78a63287732e.rb index e57077b5..b7ed1721 100644 --- a/lib/one_gadget/builds/libc-2.21-60e1d8111d5fec5580da9105670e78a63287732e.rb +++ b/lib/one_gadget/builds/libc-2.21-60e1d8111d5fec5580da9105670e78a63287732e.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260111, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260118, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260202, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757488, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757708, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879597, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879609, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894881, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-629ae1554ea01c67fdedb7874de4686f6c30b6e3.rb b/lib/one_gadget/builds/libc-2.21-629ae1554ea01c67fdedb7874de4686f6c30b6e3.rb index 0617ce25..5358782e 100644 --- a/lib/one_gadget/builds/libc-2.21-629ae1554ea01c67fdedb7874de4686f6c30b6e3.rb +++ b/lib/one_gadget/builds/libc-2.21-629ae1554ea01c67fdedb7874de4686f6c30b6e3.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234101, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234103, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234107, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234114, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234149, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234150, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 394623, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-63c3d4b45af73dff54258c5a5cab9e3d828cc766.rb b/lib/one_gadget/builds/libc-2.21-63c3d4b45af73dff54258c5a5cab9e3d828cc766.rb index ad497fc4..1fed0baf 100644 --- a/lib/one_gadget/builds/libc-2.21-63c3d4b45af73dff54258c5a5cab9e3d828cc766.rb +++ b/lib/one_gadget/builds/libc-2.21-63c3d4b45af73dff54258c5a5cab9e3d828cc766.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234181, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234183, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234187, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234194, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234229, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234230, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393727, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-64125575d05a0aedbfe187ef0f95431229c5aac8.rb b/lib/one_gadget/builds/libc-2.21-64125575d05a0aedbfe187ef0f95431229c5aac8.rb index 22dae40e..e1b73af5 100644 --- a/lib/one_gadget/builds/libc-2.21-64125575d05a0aedbfe187ef0f95431229c5aac8.rb +++ b/lib/one_gadget/builds/libc-2.21-64125575d05a0aedbfe187ef0f95431229c5aac8.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436306, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436325, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436327, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436331, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436332, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596992, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-6980ac7f9370d2bbb2aade5ceeedc8afc4f02f3e.rb b/lib/one_gadget/builds/libc-2.21-6980ac7f9370d2bbb2aade5ceeedc8afc4f02f3e.rb index 458d083d..ad2da00b 100644 --- a/lib/one_gadget/builds/libc-2.21-6980ac7f9370d2bbb2aade5ceeedc8afc4f02f3e.rb +++ b/lib/one_gadget/builds/libc-2.21-6980ac7f9370d2bbb2aade5ceeedc8afc4f02f3e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234181, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234183, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234187, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234194, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234229, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234230, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393727, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-7b173624b62ee3bd8049bdeaaff990839eb4cb36.rb b/lib/one_gadget/builds/libc-2.21-7b173624b62ee3bd8049bdeaaff990839eb4cb36.rb index c4911aec..fb84868b 100644 --- a/lib/one_gadget/builds/libc-2.21-7b173624b62ee3bd8049bdeaaff990839eb4cb36.rb +++ b/lib/one_gadget/builds/libc-2.21-7b173624b62ee3bd8049bdeaaff990839eb4cb36.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240502, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240504, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240508, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240550, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240551, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400292, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-7d672538d6a08ce14e4bd6e931392bf63156f490.rb b/lib/one_gadget/builds/libc-2.21-7d672538d6a08ce14e4bd6e931392bf63156f490.rb index 564fd1e2..cab8f22b 100644 --- a/lib/one_gadget/builds/libc-2.21-7d672538d6a08ce14e4bd6e931392bf63156f490.rb +++ b/lib/one_gadget/builds/libc-2.21-7d672538d6a08ce14e4bd6e931392bf63156f490.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240598, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240600, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240604, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240611, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240646, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240647, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400388, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-7f4a3fabc90bc1e410fe6377e2a1826d426c8f57.rb b/lib/one_gadget/builds/libc-2.21-7f4a3fabc90bc1e410fe6377e2a1826d426c8f57.rb index 5aa15d80..59e9fc7b 100644 --- a/lib/one_gadget/builds/libc-2.21-7f4a3fabc90bc1e410fe6377e2a1826d426c8f57.rb +++ b/lib/one_gadget/builds/libc-2.21-7f4a3fabc90bc1e410fe6377e2a1826d426c8f57.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260175, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260182, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260266, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757744, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757964, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879853, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879865, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895137, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-80e8cfbc6550fde842cfb72ba97d916827d462df.rb b/lib/one_gadget/builds/libc-2.21-80e8cfbc6550fde842cfb72ba97d916827d462df.rb index 1f0367f4..beb64a40 100644 --- a/lib/one_gadget/builds/libc-2.21-80e8cfbc6550fde842cfb72ba97d916827d462df.rb +++ b/lib/one_gadget/builds/libc-2.21-80e8cfbc6550fde842cfb72ba97d916827d462df.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234245, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234247, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234251, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234258, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234293, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234294, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393791, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-82d7d2a5db69a59c01ca5d2a63250ca6a6bd08a3.rb b/lib/one_gadget/builds/libc-2.21-82d7d2a5db69a59c01ca5d2a63250ca6a6bd08a3.rb index 2f84599d..d220e204 100644 --- a/lib/one_gadget/builds/libc-2.21-82d7d2a5db69a59c01ca5d2a63250ca6a6bd08a3.rb +++ b/lib/one_gadget/builds/libc-2.21-82d7d2a5db69a59c01ca5d2a63250ca6a6bd08a3.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240815, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240817, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240821, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240828, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240863, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240864, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 402644, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-834a46faae116cb9500c57d6c06e701f98a52e2e.rb b/lib/one_gadget/builds/libc-2.21-834a46faae116cb9500c57d6c06e701f98a52e2e.rb index 4a07d319..06752d04 100644 --- a/lib/one_gadget/builds/libc-2.21-834a46faae116cb9500c57d6c06e701f98a52e2e.rb +++ b/lib/one_gadget/builds/libc-2.21-834a46faae116cb9500c57d6c06e701f98a52e2e.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436306, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436325, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436327, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436331, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436332, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596992, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-83d46f5dc4d7894ea923bf566f6b38bfceedc6e1.rb b/lib/one_gadget/builds/libc-2.21-83d46f5dc4d7894ea923bf566f6b38bfceedc6e1.rb index 559f437e..c8c8d9ef 100644 --- a/lib/one_gadget/builds/libc-2.21-83d46f5dc4d7894ea923bf566f6b38bfceedc6e1.rb +++ b/lib/one_gadget/builds/libc-2.21-83d46f5dc4d7894ea923bf566f6b38bfceedc6e1.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-847fa75888ee989393032f4ae5a133902df3e2cb.rb b/lib/one_gadget/builds/libc-2.21-847fa75888ee989393032f4ae5a133902df3e2cb.rb index 67a4a40a..51f2d59a 100644 --- a/lib/one_gadget/builds/libc-2.21-847fa75888ee989393032f4ae5a133902df3e2cb.rb +++ b/lib/one_gadget/builds/libc-2.21-847fa75888ee989393032f4ae5a133902df3e2cb.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255778, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255785, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255869, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 708656, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 708876, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 837619, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 837631, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 852625, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-8626995277c9a0db7fec384061c564c3ea50eeae.rb b/lib/one_gadget/builds/libc-2.21-8626995277c9a0db7fec384061c564c3ea50eeae.rb index 9fc8f046..4ddb2094 100644 --- a/lib/one_gadget/builds/libc-2.21-8626995277c9a0db7fec384061c564c3ea50eeae.rb +++ b/lib/one_gadget/builds/libc-2.21-8626995277c9a0db7fec384061c564c3ea50eeae.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240702, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240704, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240708, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240715, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240750, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240751, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 402036, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-86d752d92fbf1e8b558018e4b122dab52b304ab6.rb b/lib/one_gadget/builds/libc-2.21-86d752d92fbf1e8b558018e4b122dab52b304ab6.rb index 17c21b75..28c6e4d1 100644 --- a/lib/one_gadget/builds/libc-2.21-86d752d92fbf1e8b558018e4b122dab52b304ab6.rb +++ b/lib/one_gadget/builds/libc-2.21-86d752d92fbf1e8b558018e4b122dab52b304ab6.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240614, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240616, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240620, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240627, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240662, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240663, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401556, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-879c9c4ffc5aabfd0a9c9d1b1c73d5f1df969aac.rb b/lib/one_gadget/builds/libc-2.21-879c9c4ffc5aabfd0a9c9d1b1c73d5f1df969aac.rb index d6e52476..3fb421bf 100644 --- a/lib/one_gadget/builds/libc-2.21-879c9c4ffc5aabfd0a9c9d1b1c73d5f1df969aac.rb +++ b/lib/one_gadget/builds/libc-2.21-879c9c4ffc5aabfd0a9c9d1b1c73d5f1df969aac.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259679, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259686, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259770, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756768, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 756988, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 878733, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878745, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894017, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-87ded6f6ac3f40a59e17170307d0b15c1170552c.rb b/lib/one_gadget/builds/libc-2.21-87ded6f6ac3f40a59e17170307d0b15c1170552c.rb index 38d0b758..8b14b9b7 100644 --- a/lib/one_gadget/builds/libc-2.21-87ded6f6ac3f40a59e17170307d0b15c1170552c.rb +++ b/lib/one_gadget/builds/libc-2.21-87ded6f6ac3f40a59e17170307d0b15c1170552c.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255474, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255481, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255565, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 709248, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 709468, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 838211, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 838223, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 853217, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-8acd43cf74a9756cd727b8516b08679ee071a92d.rb b/lib/one_gadget/builds/libc-2.21-8acd43cf74a9756cd727b8516b08679ee071a92d.rb index b57c3338..58f68e0d 100644 --- a/lib/one_gadget/builds/libc-2.21-8acd43cf74a9756cd727b8516b08679ee071a92d.rb +++ b/lib/one_gadget/builds/libc-2.21-8acd43cf74a9756cd727b8516b08679ee071a92d.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 279119, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279126, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279210, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 833984, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 834208, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 985152, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 985164, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 988941, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1010000, - constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.21-8e845b188299cb419b70cf5de27c22a50f776fce.rb b/lib/one_gadget/builds/libc-2.21-8e845b188299cb419b70cf5de27c22a50f776fce.rb index 5aadb6ba..8877d26e 100644 --- a/lib/one_gadget/builds/libc-2.21-8e845b188299cb419b70cf5de27c22a50f776fce.rb +++ b/lib/one_gadget/builds/libc-2.21-8e845b188299cb419b70cf5de27c22a50f776fce.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-924acd9c6de558f26574bdc2eaa3048b597f2e5e.rb b/lib/one_gadget/builds/libc-2.21-924acd9c6de558f26574bdc2eaa3048b597f2e5e.rb index 64b5ac36..7f4d6c6f 100644 --- a/lib/one_gadget/builds/libc-2.21-924acd9c6de558f26574bdc2eaa3048b597f2e5e.rb +++ b/lib/one_gadget/builds/libc-2.21-924acd9c6de558f26574bdc2eaa3048b597f2e5e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234181, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234183, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234187, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234194, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234229, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234230, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393727, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-93d704dff1ec8dceb660b58863d2a36afd52b66e.rb b/lib/one_gadget/builds/libc-2.21-93d704dff1ec8dceb660b58863d2a36afd52b66e.rb index 3765f308..34836c67 100644 --- a/lib/one_gadget/builds/libc-2.21-93d704dff1ec8dceb660b58863d2a36afd52b66e.rb +++ b/lib/one_gadget/builds/libc-2.21-93d704dff1ec8dceb660b58863d2a36afd52b66e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234245, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234247, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234251, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234258, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234293, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234294, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393791, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-9595d37f80a7925dc75efa522c839df34edb4b46.rb b/lib/one_gadget/builds/libc-2.21-9595d37f80a7925dc75efa522c839df34edb4b46.rb index a903f79a..9e20bc0f 100644 --- a/lib/one_gadget/builds/libc-2.21-9595d37f80a7925dc75efa522c839df34edb4b46.rb +++ b/lib/one_gadget/builds/libc-2.21-9595d37f80a7925dc75efa522c839df34edb4b46.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233829, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233831, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233835, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233842, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233877, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233878, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 395455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb b/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb index 72407f5c..9ce07813 100644 --- a/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb +++ b/lib/one_gadget/builds/libc-2.21-9ac81172d5ff96f40d984fe7c10073a98f1a6b2e.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259679, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259686, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259770, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756768, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 756988, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 878733, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878745, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894017, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-9c764e8fb2df1bccb33ffedd92cd8659aab98e33.rb b/lib/one_gadget/builds/libc-2.21-9c764e8fb2df1bccb33ffedd92cd8659aab98e33.rb index 7b08d41e..a2e2c672 100644 --- a/lib/one_gadget/builds/libc-2.21-9c764e8fb2df1bccb33ffedd92cd8659aab98e33.rb +++ b/lib/one_gadget/builds/libc-2.21-9c764e8fb2df1bccb33ffedd92cd8659aab98e33.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234101, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234103, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234107, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234114, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234149, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234150, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 394623, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-9cf342a68f1a7b4b6ba4df62667c5f4ee8cf7687.rb b/lib/one_gadget/builds/libc-2.21-9cf342a68f1a7b4b6ba4df62667c5f4ee8cf7687.rb index a9b9e6fd..040a42cf 100644 --- a/lib/one_gadget/builds/libc-2.21-9cf342a68f1a7b4b6ba4df62667c5f4ee8cf7687.rb +++ b/lib/one_gadget/builds/libc-2.21-9cf342a68f1a7b4b6ba4df62667c5f4ee8cf7687.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234181, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234183, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234187, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234194, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234229, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234230, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393727, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-9d0884395161c74567d7fea747e15c9a31785e06.rb b/lib/one_gadget/builds/libc-2.21-9d0884395161c74567d7fea747e15c9a31785e06.rb index 7544c846..1d67065a 100644 --- a/lib/one_gadget/builds/libc-2.21-9d0884395161c74567d7fea747e15c9a31785e06.rb +++ b/lib/one_gadget/builds/libc-2.21-9d0884395161c74567d7fea747e15c9a31785e06.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240566, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240568, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240572, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240579, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240614, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240615, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400356, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-a0ccdc12ed6ad0d67778aff9b49abc3c8eb30b9a.rb b/lib/one_gadget/builds/libc-2.21-a0ccdc12ed6ad0d67778aff9b49abc3c8eb30b9a.rb index 42c2d81a..3f528ccf 100644 --- a/lib/one_gadget/builds/libc-2.21-a0ccdc12ed6ad0d67778aff9b49abc3c8eb30b9a.rb +++ b/lib/one_gadget/builds/libc-2.21-a0ccdc12ed6ad0d67778aff9b49abc3c8eb30b9a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241694, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241696, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241700, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241707, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241742, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241743, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 404388, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-a167f5367b27f9493cefac9b23e68f180239e96c.rb b/lib/one_gadget/builds/libc-2.21-a167f5367b27f9493cefac9b23e68f180239e96c.rb index e0a17353..1b8fd065 100644 --- a/lib/one_gadget/builds/libc-2.21-a167f5367b27f9493cefac9b23e68f180239e96c.rb +++ b/lib/one_gadget/builds/libc-2.21-a167f5367b27f9493cefac9b23e68f180239e96c.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255762, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255769, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255853, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 708672, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 708892, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 837635, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 837647, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 852641, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-a1f20771562e9a58f6d2746d38a09694d4cbc345.rb b/lib/one_gadget/builds/libc-2.21-a1f20771562e9a58f6d2746d38a09694d4cbc345.rb index 60608bfa..81d10012 100644 --- a/lib/one_gadget/builds/libc-2.21-a1f20771562e9a58f6d2746d38a09694d4cbc345.rb +++ b/lib/one_gadget/builds/libc-2.21-a1f20771562e9a58f6d2746d38a09694d4cbc345.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233861, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233863, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233867, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233874, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233909, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233910, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 394927, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-a235f288513fa6064a856c499e0453f9f4a44f8a.rb b/lib/one_gadget/builds/libc-2.21-a235f288513fa6064a856c499e0453f9f4a44f8a.rb index 77a2ecbc..f1c5ddb9 100644 --- a/lib/one_gadget/builds/libc-2.21-a235f288513fa6064a856c499e0453f9f4a44f8a.rb +++ b/lib/one_gadget/builds/libc-2.21-a235f288513fa6064a856c499e0453f9f4a44f8a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234181, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234183, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234187, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234194, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234229, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234230, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393727, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-a5c1de4517ba044d2f7cfa479e69f29bbc673c6a.rb b/lib/one_gadget/builds/libc-2.21-a5c1de4517ba044d2f7cfa479e69f29bbc673c6a.rb index bde1cc58..81fddcc7 100644 --- a/lib/one_gadget/builds/libc-2.21-a5c1de4517ba044d2f7cfa479e69f29bbc673c6a.rb +++ b/lib/one_gadget/builds/libc-2.21-a5c1de4517ba044d2f7cfa479e69f29bbc673c6a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 242190, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 242192, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 242196, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 242203, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 242238, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 242239, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 404068, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-a890a8ee268f8ae36ae0810b6eea7c45766b4133.rb b/lib/one_gadget/builds/libc-2.21-a890a8ee268f8ae36ae0810b6eea7c45766b4133.rb index 02c66df5..94879a28 100644 --- a/lib/one_gadget/builds/libc-2.21-a890a8ee268f8ae36ae0810b6eea7c45766b4133.rb +++ b/lib/one_gadget/builds/libc-2.21-a890a8ee268f8ae36ae0810b6eea7c45766b4133.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259791, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259798, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259882, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 758240, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 758460, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 880349, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880361, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895633, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-a9274e5d52fbb32ba32bae055f69ba1741771e79.rb b/lib/one_gadget/builds/libc-2.21-a9274e5d52fbb32ba32bae055f69ba1741771e79.rb index 8b952703..f13d4a2c 100644 --- a/lib/one_gadget/builds/libc-2.21-a9274e5d52fbb32ba32bae055f69ba1741771e79.rb +++ b/lib/one_gadget/builds/libc-2.21-a9274e5d52fbb32ba32bae055f69ba1741771e79.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-ab066cff9171d55efb0dd884d31c18682ae6922b.rb b/lib/one_gadget/builds/libc-2.21-ab066cff9171d55efb0dd884d31c18682ae6922b.rb index fdc16d2f..09b9fe8c 100644 --- a/lib/one_gadget/builds/libc-2.21-ab066cff9171d55efb0dd884d31c18682ae6922b.rb +++ b/lib/one_gadget/builds/libc-2.21-ab066cff9171d55efb0dd884d31c18682ae6922b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-af2daffab6880d8bc68db4143643c132164dc7ca.rb b/lib/one_gadget/builds/libc-2.21-af2daffab6880d8bc68db4143643c132164dc7ca.rb index 827c2e97..592ee288 100644 --- a/lib/one_gadget/builds/libc-2.21-af2daffab6880d8bc68db4143643c132164dc7ca.rb +++ b/lib/one_gadget/builds/libc-2.21-af2daffab6880d8bc68db4143643c132164dc7ca.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260175, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260182, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260266, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 758320, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 758540, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 880429, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880441, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895713, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-b180bd3047be9b4b70fb28455365546001b76e85.rb b/lib/one_gadget/builds/libc-2.21-b180bd3047be9b4b70fb28455365546001b76e85.rb index 9e05c472..46798e8f 100644 --- a/lib/one_gadget/builds/libc-2.21-b180bd3047be9b4b70fb28455365546001b76e85.rb +++ b/lib/one_gadget/builds/libc-2.21-b180bd3047be9b4b70fb28455365546001b76e85.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436370, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436389, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436391, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436395, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436396, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 597056, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-b440183d6aefac5a9259f6e2de824e43e85ed341.rb b/lib/one_gadget/builds/libc-2.21-b440183d6aefac5a9259f6e2de824e43e85ed341.rb index 34bfba58..0a772a43 100644 --- a/lib/one_gadget/builds/libc-2.21-b440183d6aefac5a9259f6e2de824e43e85ed341.rb +++ b/lib/one_gadget/builds/libc-2.21-b440183d6aefac5a9259f6e2de824e43e85ed341.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259743, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259750, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259834, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755223, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 755432, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 877607, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 877619, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 892481, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-b551bf2740c7e79d1722776a6e0d35d65885d037.rb b/lib/one_gadget/builds/libc-2.21-b551bf2740c7e79d1722776a6e0d35d65885d037.rb index 392b9ed5..212f6abb 100644 --- a/lib/one_gadget/builds/libc-2.21-b551bf2740c7e79d1722776a6e0d35d65885d037.rb +++ b/lib/one_gadget/builds/libc-2.21-b551bf2740c7e79d1722776a6e0d35d65885d037.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 242190, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 242192, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 242196, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 242203, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 242238, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 242239, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 404068, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-b7ac9e99f0fc2fb83f98b6a01615c0508de638a8.rb b/lib/one_gadget/builds/libc-2.21-b7ac9e99f0fc2fb83f98b6a01615c0508de638a8.rb index 7ac0d2f5..6e827b9e 100644 --- a/lib/one_gadget/builds/libc-2.21-b7ac9e99f0fc2fb83f98b6a01615c0508de638a8.rb +++ b/lib/one_gadget/builds/libc-2.21-b7ac9e99f0fc2fb83f98b6a01615c0508de638a8.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260239, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260246, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260330, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757600, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757820, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879709, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879721, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894993, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-b8c6428b947bad767595961d6cb907493073183c.rb b/lib/one_gadget/builds/libc-2.21-b8c6428b947bad767595961d6cb907493073183c.rb index b30621fa..7c8c63eb 100644 --- a/lib/one_gadget/builds/libc-2.21-b8c6428b947bad767595961d6cb907493073183c.rb +++ b/lib/one_gadget/builds/libc-2.21-b8c6428b947bad767595961d6cb907493073183c.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-b8daa3ddab3acf64323b47fee32338d5c9591c4d.rb b/lib/one_gadget/builds/libc-2.21-b8daa3ddab3acf64323b47fee32338d5c9591c4d.rb index c4debb44..e8448baa 100644 --- a/lib/one_gadget/builds/libc-2.21-b8daa3ddab3acf64323b47fee32338d5c9591c4d.rb +++ b/lib/one_gadget/builds/libc-2.21-b8daa3ddab3acf64323b47fee32338d5c9591c4d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241742, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241744, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241748, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241755, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241790, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241791, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 403620, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-bbfccd958f34a2292058d60a0ddf19e1fcd4ec1e.rb b/lib/one_gadget/builds/libc-2.21-bbfccd958f34a2292058d60a0ddf19e1fcd4ec1e.rb index cd21e936..9afec25d 100644 --- a/lib/one_gadget/builds/libc-2.21-bbfccd958f34a2292058d60a0ddf19e1fcd4ec1e.rb +++ b/lib/one_gadget/builds/libc-2.21-bbfccd958f34a2292058d60a0ddf19e1fcd4ec1e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240502, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240504, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240508, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240550, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240551, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400292, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-bda2fd9acb85c5de61a1d4c7e2098fce25f3199f.rb b/lib/one_gadget/builds/libc-2.21-bda2fd9acb85c5de61a1d4c7e2098fce25f3199f.rb index 2eba5287..916bbc3e 100644 --- a/lib/one_gadget/builds/libc-2.21-bda2fd9acb85c5de61a1d4c7e2098fce25f3199f.rb +++ b/lib/one_gadget/builds/libc-2.21-bda2fd9acb85c5de61a1d4c7e2098fce25f3199f.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234245, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234247, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234251, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234258, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234293, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234294, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393791, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-c164b79c008a3ad0c2f0277688274a0c3c98e79b.rb b/lib/one_gadget/builds/libc-2.21-c164b79c008a3ad0c2f0277688274a0c3c98e79b.rb index 5790979e..1b4b7e36 100644 --- a/lib/one_gadget/builds/libc-2.21-c164b79c008a3ad0c2f0277688274a0c3c98e79b.rb +++ b/lib/one_gadget/builds/libc-2.21-c164b79c008a3ad0c2f0277688274a0c3c98e79b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240502, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240504, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240508, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240550, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240551, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400292, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-c2f12c8aed093770731d57b19dc039c32423246b.rb b/lib/one_gadget/builds/libc-2.21-c2f12c8aed093770731d57b19dc039c32423246b.rb index 673f0ff4..ef5dea1c 100644 --- a/lib/one_gadget/builds/libc-2.21-c2f12c8aed093770731d57b19dc039c32423246b.rb +++ b/lib/one_gadget/builds/libc-2.21-c2f12c8aed093770731d57b19dc039c32423246b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240614, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240616, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240620, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240627, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240662, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240663, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400404, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-c3318940121036465913d946fa62fef61459b68a.rb b/lib/one_gadget/builds/libc-2.21-c3318940121036465913d946fa62fef61459b68a.rb index 371f493a..cbe732e3 100644 --- a/lib/one_gadget/builds/libc-2.21-c3318940121036465913d946fa62fef61459b68a.rb +++ b/lib/one_gadget/builds/libc-2.21-c3318940121036465913d946fa62fef61459b68a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240750, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240752, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240756, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240763, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240798, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240799, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 402084, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-c4969c549a0d0099304108e50a77ff68602ed922.rb b/lib/one_gadget/builds/libc-2.21-c4969c549a0d0099304108e50a77ff68602ed922.rb index 502e81f0..db2b7478 100644 --- a/lib/one_gadget/builds/libc-2.21-c4969c549a0d0099304108e50a77ff68602ed922.rb +++ b/lib/one_gadget/builds/libc-2.21-c4969c549a0d0099304108e50a77ff68602ed922.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240502, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240504, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240508, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240550, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240551, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400292, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-c51ca19ec6c53db97a15c67eea8ed00761570689.rb b/lib/one_gadget/builds/libc-2.21-c51ca19ec6c53db97a15c67eea8ed00761570689.rb index aa064e83..67f9e8d1 100644 --- a/lib/one_gadget/builds/libc-2.21-c51ca19ec6c53db97a15c67eea8ed00761570689.rb +++ b/lib/one_gadget/builds/libc-2.21-c51ca19ec6c53db97a15c67eea8ed00761570689.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240502, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240504, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240508, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240550, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240551, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400292, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-c601601a621be82612e36dd2a981121c141c72c9.rb b/lib/one_gadget/builds/libc-2.21-c601601a621be82612e36dd2a981121c141c72c9.rb index daf93db4..0c17ddf5 100644 --- a/lib/one_gadget/builds/libc-2.21-c601601a621be82612e36dd2a981121c141c72c9.rb +++ b/lib/one_gadget/builds/libc-2.21-c601601a621be82612e36dd2a981121c141c72c9.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255762, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255769, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 255853, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 708672, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 708892, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 837635, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 837647, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 852641, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-c6654d8229ff494d5b5c067e8a1dbf184fcdd57d.rb b/lib/one_gadget/builds/libc-2.21-c6654d8229ff494d5b5c067e8a1dbf184fcdd57d.rb index a02b57f8..ee7344bf 100644 --- a/lib/one_gadget/builds/libc-2.21-c6654d8229ff494d5b5c067e8a1dbf184fcdd57d.rb +++ b/lib/one_gadget/builds/libc-2.21-c6654d8229ff494d5b5c067e8a1dbf184fcdd57d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240614, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240616, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240620, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240627, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240662, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240663, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401556, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-c91d043eaeb023885cdd80a3c0872d9fde9867bb.rb b/lib/one_gadget/builds/libc-2.21-c91d043eaeb023885cdd80a3c0872d9fde9867bb.rb index 9a939c5b..76228a1a 100644 --- a/lib/one_gadget/builds/libc-2.21-c91d043eaeb023885cdd80a3c0872d9fde9867bb.rb +++ b/lib/one_gadget/builds/libc-2.21-c91d043eaeb023885cdd80a3c0872d9fde9867bb.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240438, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240440, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240444, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240451, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240486, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240487, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400228, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-cb732feec2d8bae5ebb5d072a86cd31aca65f89b.rb b/lib/one_gadget/builds/libc-2.21-cb732feec2d8bae5ebb5d072a86cd31aca65f89b.rb index ab56813e..82154716 100644 --- a/lib/one_gadget/builds/libc-2.21-cb732feec2d8bae5ebb5d072a86cd31aca65f89b.rb +++ b/lib/one_gadget/builds/libc-2.21-cb732feec2d8bae5ebb5d072a86cd31aca65f89b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240702, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240704, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240708, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240715, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240750, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240751, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 402036, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-cf580407d98ed9bec9c92c1ae2241eca8604e4d5.rb b/lib/one_gadget/builds/libc-2.21-cf580407d98ed9bec9c92c1ae2241eca8604e4d5.rb index df08def3..e34db9ac 100644 --- a/lib/one_gadget/builds/libc-2.21-cf580407d98ed9bec9c92c1ae2241eca8604e4d5.rb +++ b/lib/one_gadget/builds/libc-2.21-cf580407d98ed9bec9c92c1ae2241eca8604e4d5.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260127, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260134, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260218, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757472, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757692, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879581, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879593, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894865, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-d0cbed817be7f8947339e1796d1964567e9dfe96.rb b/lib/one_gadget/builds/libc-2.21-d0cbed817be7f8947339e1796d1964567e9dfe96.rb index e4ee757a..417d37f2 100644 --- a/lib/one_gadget/builds/libc-2.21-d0cbed817be7f8947339e1796d1964567e9dfe96.rb +++ b/lib/one_gadget/builds/libc-2.21-d0cbed817be7f8947339e1796d1964567e9dfe96.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240550, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240552, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240556, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240563, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240598, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240599, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401492, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-d1c4dd44416a5a2781b37f7d9111961c8dc58583.rb b/lib/one_gadget/builds/libc-2.21-d1c4dd44416a5a2781b37f7d9111961c8dc58583.rb index c5ff2f38..042bd90a 100644 --- a/lib/one_gadget/builds/libc-2.21-d1c4dd44416a5a2781b37f7d9111961c8dc58583.rb +++ b/lib/one_gadget/builds/libc-2.21-d1c4dd44416a5a2781b37f7d9111961c8dc58583.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234101, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234103, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234107, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234114, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234149, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234150, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393647, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-dc53884306f13d86e310d893433556d93ef7facc.rb b/lib/one_gadget/builds/libc-2.21-dc53884306f13d86e310d893433556d93ef7facc.rb index 8ad85f22..1397edf7 100644 --- a/lib/one_gadget/builds/libc-2.21-dc53884306f13d86e310d893433556d93ef7facc.rb +++ b/lib/one_gadget/builds/libc-2.21-dc53884306f13d86e310d893433556d93ef7facc.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 279039, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279046, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279130, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 834544, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 834768, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 985728, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 985740, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 989517, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1010576, - constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.21-dc70ee31ce02e89d989cb38dc885438e19dc5919.rb b/lib/one_gadget/builds/libc-2.21-dc70ee31ce02e89d989cb38dc885438e19dc5919.rb index c021fb59..a45cbfa8 100644 --- a/lib/one_gadget/builds/libc-2.21-dc70ee31ce02e89d989cb38dc885438e19dc5919.rb +++ b/lib/one_gadget/builds/libc-2.21-dc70ee31ce02e89d989cb38dc885438e19dc5919.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 279055, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279062, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279146, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 834192, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 834416, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 985376, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 985388, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 989165, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1010272, - constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.21-e174b9dc46c7d38d1f153f2a4f9c059484042cdc.rb b/lib/one_gadget/builds/libc-2.21-e174b9dc46c7d38d1f153f2a4f9c059484042cdc.rb index 5afa65ed..ee358b88 100644 --- a/lib/one_gadget/builds/libc-2.21-e174b9dc46c7d38d1f153f2a4f9c059484042cdc.rb +++ b/lib/one_gadget/builds/libc-2.21-e174b9dc46c7d38d1f153f2a4f9c059484042cdc.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241710, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241712, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241716, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241723, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241758, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241759, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 403588, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-e3a06c9d90272ed9dd49863667de02579971fefd.rb b/lib/one_gadget/builds/libc-2.21-e3a06c9d90272ed9dd49863667de02579971fefd.rb index d39ceabb..00069c10 100644 --- a/lib/one_gadget/builds/libc-2.21-e3a06c9d90272ed9dd49863667de02579971fefd.rb +++ b/lib/one_gadget/builds/libc-2.21-e3a06c9d90272ed9dd49863667de02579971fefd.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260111, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260118, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260202, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757488, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 757708, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 879597, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879609, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 894881, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-e6f442dc2d29e0e16cd34dc787d3c95fafeb90cc.rb b/lib/one_gadget/builds/libc-2.21-e6f442dc2d29e0e16cd34dc787d3c95fafeb90cc.rb index 9dcc1a20..9a3bf77f 100644 --- a/lib/one_gadget/builds/libc-2.21-e6f442dc2d29e0e16cd34dc787d3c95fafeb90cc.rb +++ b/lib/one_gadget/builds/libc-2.21-e6f442dc2d29e0e16cd34dc787d3c95fafeb90cc.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234101, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234103, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234107, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234114, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234149, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234150, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393647, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-e91a3a679d219196e597358caa46469961c471fd.rb b/lib/one_gadget/builds/libc-2.21-e91a3a679d219196e597358caa46469961c471fd.rb index 9c874264..e231485a 100644 --- a/lib/one_gadget/builds/libc-2.21-e91a3a679d219196e597358caa46469961c471fd.rb +++ b/lib/one_gadget/builds/libc-2.21-e91a3a679d219196e597358caa46469961c471fd.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436354, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436373, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436375, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436379, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436380, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596320, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-f08b44317fec610d418f62d5d24fafaec0510353.rb b/lib/one_gadget/builds/libc-2.21-f08b44317fec610d418f62d5d24fafaec0510353.rb index 28001089..0b9ee737 100644 --- a/lib/one_gadget/builds/libc-2.21-f08b44317fec610d418f62d5d24fafaec0510353.rb +++ b/lib/one_gadget/builds/libc-2.21-f08b44317fec610d418f62d5d24fafaec0510353.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259791, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259798, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259882, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 758240, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 758460, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 880349, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 880361, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895633, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb b/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb index 5ddf9526..ab4060bc 100644 --- a/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb +++ b/lib/one_gadget/builds/libc-2.21-f0c24219cbba0605e39e02123398437c5dbbb104.rb @@ -21,22 +21,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 246761, + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") +OneGadget::Gadget.add(build_id, 246768, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], + effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 246777, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 246813, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp+0x8])") OneGadget::Gadget.add(build_id, 246817, - constraints: ["ebx is the GOT address of libc", "[[esp+0x4]] == NULL || [esp+0x4] == NULL", "[[esp+0x8]] == NULL || [esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid argv", "[[esp+0x8]] == NULL || [esp+0x8] == NULL || [esp+0x8] is a valid envp"], effect: "execve(\"/bin/sh\", [esp+0x4], [esp+0x8])") +OneGadget::Gadget.add(build_id, 406271, + constraints: ["ebx is the GOT address of libc", "writable: esp+0x8", "eax == NULL"], + effect: "execl(\"/bin/sh\", \"sh\", eax)") OneGadget::Gadget.add(build_id, 406275, - constraints: ["ebx is the GOT address of libc", "[esp+0x8] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "[esp+0x8] == NULL"], effect: "execl(\"/bin/sh\", \"sh\", [esp+0x8])") OneGadget::Gadget.add(build_id, 406281, - constraints: ["ebx is the GOT address of libc", "eax == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp+0x4", "eax == NULL"], effect: "execl(\"/bin/sh\", eax)") OneGadget::Gadget.add(build_id, 406285, - constraints: ["ebx is the GOT address of libc", "[esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: esp", "[esp+0x4] == NULL"], effect: "execl(\"/bin/sh\", [esp+0x4])") diff --git a/lib/one_gadget/builds/libc-2.21-f233903e448d3ae08e72a23b0e742ecfc8b6ccc1.rb b/lib/one_gadget/builds/libc-2.21-f233903e448d3ae08e72a23b0e742ecfc8b6ccc1.rb index 739fd697..7cfc4092 100644 --- a/lib/one_gadget/builds/libc-2.21-f233903e448d3ae08e72a23b0e742ecfc8b6ccc1.rb +++ b/lib/one_gadget/builds/libc-2.21-f233903e448d3ae08e72a23b0e742ecfc8b6ccc1.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240750, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240752, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240756, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240763, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240798, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240799, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 402084, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-f5043f1299e2b98ddf8a1ba08f731f260492601a.rb b/lib/one_gadget/builds/libc-2.21-f5043f1299e2b98ddf8a1ba08f731f260492601a.rb index f5c95706..2f089f70 100644 --- a/lib/one_gadget/builds/libc-2.21-f5043f1299e2b98ddf8a1ba08f731f260492601a.rb +++ b/lib/one_gadget/builds/libc-2.21-f5043f1299e2b98ddf8a1ba08f731f260492601a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234245, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234247, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234251, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234258, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234293, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234294, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393791, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-f9e9b2f3225a520c823f0d81aea92a3dacfd621f.rb b/lib/one_gadget/builds/libc-2.21-f9e9b2f3225a520c823f0d81aea92a3dacfd621f.rb index dc035403..7df50d7c 100644 --- a/lib/one_gadget/builds/libc-2.21-f9e9b2f3225a520c823f0d81aea92a3dacfd621f.rb +++ b/lib/one_gadget/builds/libc-2.21-f9e9b2f3225a520c823f0d81aea92a3dacfd621f.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234181, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234183, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234187, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234194, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234229, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234230, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393727, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21-fe668be19c2dadb3cef5e6eafb6796acabf0b8f1.rb b/lib/one_gadget/builds/libc-2.21-fe668be19c2dadb3cef5e6eafb6796acabf0b8f1.rb index 6bdb592f..56604b38 100644 --- a/lib/one_gadget/builds/libc-2.21-fe668be19c2dadb3cef5e6eafb6796acabf0b8f1.rb +++ b/lib/one_gadget/builds/libc-2.21-fe668be19c2dadb3cef5e6eafb6796acabf0b8f1.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 279055, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279062, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 279146, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 833808, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 834032, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 984992, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 985004, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 988781, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1009840, - constraints: ["[r8] == NULL || r8 == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[r8] == NULL || r8 == NULL || r8 is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", r8, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.21.90-d8785e62882096798b9a47645c401e2db0c3da87.rb b/lib/one_gadget/builds/libc-2.21.90-d8785e62882096798b9a47645c401e2db0c3da87.rb index c76dfc25..79524521 100644 --- a/lib/one_gadget/builds/libc-2.21.90-d8785e62882096798b9a47645c401e2db0c3da87.rb +++ b/lib/one_gadget/builds/libc-2.21.90-d8785e62882096798b9a47645c401e2db0c3da87.rb @@ -22,22 +22,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 255032, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 255034, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 255038, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 255045, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 255080, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 255081, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 417876, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.21.90-ec2edee6fe6141b914f74b6d3541e986c1995420.rb b/lib/one_gadget/builds/libc-2.21.90-ec2edee6fe6141b914f74b6d3541e986c1995420.rb index c10af0e0..4c402ffb 100644 --- a/lib/one_gadget/builds/libc-2.21.90-ec2edee6fe6141b914f74b6d3541e986c1995420.rb +++ b/lib/one_gadget/builds/libc-2.21.90-ec2edee6fe6141b914f74b6d3541e986c1995420.rb @@ -22,22 +22,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 256271, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 256273, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 256277, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 256284, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 256319, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 256320, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 420820, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-056b23405739592e947a92cb210791fbfe9d9938.rb b/lib/one_gadget/builds/libc-2.22-056b23405739592e947a92cb210791fbfe9d9938.rb index 210b05cc..7cbef9bf 100644 --- a/lib/one_gadget/builds/libc-2.22-056b23405739592e947a92cb210791fbfe9d9938.rb +++ b/lib/one_gadget/builds/libc-2.22-056b23405739592e947a92cb210791fbfe9d9938.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241007, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241009, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241013, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241020, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241055, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241056, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401703, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-057feedce849edba19d94bf3920903b4c297e249.rb b/lib/one_gadget/builds/libc-2.22-057feedce849edba19d94bf3920903b4c297e249.rb index 338de1a2..10b922f4 100644 --- a/lib/one_gadget/builds/libc-2.22-057feedce849edba19d94bf3920903b4c297e249.rb +++ b/lib/one_gadget/builds/libc-2.22-057feedce849edba19d94bf3920903b4c297e249.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240280, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240282, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240286, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240293, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240328, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240329, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 399347, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-06a01f4986991b8605b775bd21c3829c071c7e01.rb b/lib/one_gadget/builds/libc-2.22-06a01f4986991b8605b775bd21c3829c071c7e01.rb index d7d5717e..fdaf74ea 100644 --- a/lib/one_gadget/builds/libc-2.22-06a01f4986991b8605b775bd21c3829c071c7e01.rb +++ b/lib/one_gadget/builds/libc-2.22-06a01f4986991b8605b775bd21c3829c071c7e01.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233093, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233095, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233099, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233106, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233141, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233142, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393487, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-07627a0a76d4347858dc9b2533aac197920feb67.rb b/lib/one_gadget/builds/libc-2.22-07627a0a76d4347858dc9b2533aac197920feb67.rb index 411f1a2a..b3fdee0d 100644 --- a/lib/one_gadget/builds/libc-2.22-07627a0a76d4347858dc9b2533aac197920feb67.rb +++ b/lib/one_gadget/builds/libc-2.22-07627a0a76d4347858dc9b2533aac197920feb67.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 437040, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 437059, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 437061, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 437065, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 437066, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596336, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-079d0ce21fe81c5c95f687db4b944d28c121a849.rb b/lib/one_gadget/builds/libc-2.22-079d0ce21fe81c5c95f687db4b944d28c121a849.rb index d7af4fe2..38293027 100644 --- a/lib/one_gadget/builds/libc-2.22-079d0ce21fe81c5c95f687db4b944d28c121a849.rb +++ b/lib/one_gadget/builds/libc-2.22-079d0ce21fe81c5c95f687db4b944d28c121a849.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240991, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240993, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240997, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241004, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241039, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241040, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401687, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-0f1e39397cbf59f35018306725336d275b33fad6.rb b/lib/one_gadget/builds/libc-2.22-0f1e39397cbf59f35018306725336d275b33fad6.rb index 0b5813f8..a057277f 100644 --- a/lib/one_gadget/builds/libc-2.22-0f1e39397cbf59f35018306725336d275b33fad6.rb +++ b/lib/one_gadget/builds/libc-2.22-0f1e39397cbf59f35018306725336d275b33fad6.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233093, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233095, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233099, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233106, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233141, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233142, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393487, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-111a78efce1a05c176c84381f9a8687564c124dd.rb b/lib/one_gadget/builds/libc-2.22-111a78efce1a05c176c84381f9a8687564c124dd.rb index 3c584240..abe95c67 100644 --- a/lib/one_gadget/builds/libc-2.22-111a78efce1a05c176c84381f9a8687564c124dd.rb +++ b/lib/one_gadget/builds/libc-2.22-111a78efce1a05c176c84381f9a8687564c124dd.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259407, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259414, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259498, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759543, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759752, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881159, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881171, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895921, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-11c38e8940f7cd6be485bf6903fdb169d71617dd.rb b/lib/one_gadget/builds/libc-2.22-11c38e8940f7cd6be485bf6903fdb169d71617dd.rb index 1b6b2377..bf310559 100644 --- a/lib/one_gadget/builds/libc-2.22-11c38e8940f7cd6be485bf6903fdb169d71617dd.rb +++ b/lib/one_gadget/builds/libc-2.22-11c38e8940f7cd6be485bf6903fdb169d71617dd.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259407, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259414, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259498, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759543, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759752, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881159, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881171, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895921, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-121137de182d11744ae6be8683de568a64edca7f.rb b/lib/one_gadget/builds/libc-2.22-121137de182d11744ae6be8683de568a64edca7f.rb index 8cd481cd..319ed561 100644 --- a/lib/one_gadget/builds/libc-2.22-121137de182d11744ae6be8683de568a64edca7f.rb +++ b/lib/one_gadget/builds/libc-2.22-121137de182d11744ae6be8683de568a64edca7f.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393503, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-124cbcd567a508befc4d08238d209749a6f81ef6.rb b/lib/one_gadget/builds/libc-2.22-124cbcd567a508befc4d08238d209749a6f81ef6.rb index 62fc9e87..d8a0a4b9 100644 --- a/lib/one_gadget/builds/libc-2.22-124cbcd567a508befc4d08238d209749a6f81ef6.rb +++ b/lib/one_gadget/builds/libc-2.22-124cbcd567a508befc4d08238d209749a6f81ef6.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259439, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259446, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259530, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759079, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759288, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881191, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881203, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896001, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-13fbe87df7583cb37d64da775d5298d139d6c645.rb b/lib/one_gadget/builds/libc-2.22-13fbe87df7583cb37d64da775d5298d139d6c645.rb index 85d350b5..2a66ce35 100644 --- a/lib/one_gadget/builds/libc-2.22-13fbe87df7583cb37d64da775d5298d139d6c645.rb +++ b/lib/one_gadget/builds/libc-2.22-13fbe87df7583cb37d64da775d5298d139d6c645.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259439, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259446, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259530, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759175, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759384, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881287, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881299, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896049, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-142110382cc91407cee827f639c811fa41aad081.rb b/lib/one_gadget/builds/libc-2.22-142110382cc91407cee827f639c811fa41aad081.rb index 4856cee7..2a1ab455 100644 --- a/lib/one_gadget/builds/libc-2.22-142110382cc91407cee827f639c811fa41aad081.rb +++ b/lib/one_gadget/builds/libc-2.22-142110382cc91407cee827f639c811fa41aad081.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233093, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233095, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233099, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233106, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233141, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233142, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393487, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-157a6d46c53ff9cd3176239d342644bd34cc9e6a.rb b/lib/one_gadget/builds/libc-2.22-157a6d46c53ff9cd3176239d342644bd34cc9e6a.rb index e8174c8c..6492e1e2 100644 --- a/lib/one_gadget/builds/libc-2.22-157a6d46c53ff9cd3176239d342644bd34cc9e6a.rb +++ b/lib/one_gadget/builds/libc-2.22-157a6d46c53ff9cd3176239d342644bd34cc9e6a.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254130, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254137, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254221, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706983, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 707192, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 835315, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 835327, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 849793, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-172387e0713d81467e907f48691fd8a3a9d9b745.rb b/lib/one_gadget/builds/libc-2.22-172387e0713d81467e907f48691fd8a3a9d9b745.rb index ea95a5e7..d79cce80 100644 --- a/lib/one_gadget/builds/libc-2.22-172387e0713d81467e907f48691fd8a3a9d9b745.rb +++ b/lib/one_gadget/builds/libc-2.22-172387e0713d81467e907f48691fd8a3a9d9b745.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233093, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233095, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233099, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233106, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233141, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233142, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393487, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-1853ca84fd72235c89ca6c71dc2fd586035fb508.rb b/lib/one_gadget/builds/libc-2.22-1853ca84fd72235c89ca6c71dc2fd586035fb508.rb index b3ce493c..1e7a0cb0 100644 --- a/lib/one_gadget/builds/libc-2.22-1853ca84fd72235c89ca6c71dc2fd586035fb508.rb +++ b/lib/one_gadget/builds/libc-2.22-1853ca84fd72235c89ca6c71dc2fd586035fb508.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240104, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240106, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240110, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240117, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240152, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240153, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400195, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-18c9fd18d79dce6408c752dc974b0b895286f861.rb b/lib/one_gadget/builds/libc-2.22-18c9fd18d79dce6408c752dc974b0b895286f861.rb index f9786077..cee74af3 100644 --- a/lib/one_gadget/builds/libc-2.22-18c9fd18d79dce6408c752dc974b0b895286f861.rb +++ b/lib/one_gadget/builds/libc-2.22-18c9fd18d79dce6408c752dc974b0b895286f861.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259855, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259862, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259946, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759479, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759688, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 882007, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 882019, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896945, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-190d9018168d767820b7fc6fac5cb62d1a40d819.rb b/lib/one_gadget/builds/libc-2.22-190d9018168d767820b7fc6fac5cb62d1a40d819.rb index a05353bf..903a8cba 100644 --- a/lib/one_gadget/builds/libc-2.22-190d9018168d767820b7fc6fac5cb62d1a40d819.rb +++ b/lib/one_gadget/builds/libc-2.22-190d9018168d767820b7fc6fac5cb62d1a40d819.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240088, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240090, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240094, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240101, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240136, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240137, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400131, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-1c3905611074ae1c586d90e5312e49817dfb1454.rb b/lib/one_gadget/builds/libc-2.22-1c3905611074ae1c586d90e5312e49817dfb1454.rb index 7c46d6f4..2e023c5b 100644 --- a/lib/one_gadget/builds/libc-2.22-1c3905611074ae1c586d90e5312e49817dfb1454.rb +++ b/lib/one_gadget/builds/libc-2.22-1c3905611074ae1c586d90e5312e49817dfb1454.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259407, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259414, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259498, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759543, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759752, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881159, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881171, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895921, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-1ef0e3b0b75b086f54c2fb8ad958db46c199de28.rb b/lib/one_gadget/builds/libc-2.22-1ef0e3b0b75b086f54c2fb8ad958db46c199de28.rb index 3016b672..584f1943 100644 --- a/lib/one_gadget/builds/libc-2.22-1ef0e3b0b75b086f54c2fb8ad958db46c199de28.rb +++ b/lib/one_gadget/builds/libc-2.22-1ef0e3b0b75b086f54c2fb8ad958db46c199de28.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240735, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240737, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240741, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240748, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240783, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240784, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401431, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-20d1cd3333f60c045ee0d71cd32ac74a6b721b85.rb b/lib/one_gadget/builds/libc-2.22-20d1cd3333f60c045ee0d71cd32ac74a6b721b85.rb index bd32c623..17e2356f 100644 --- a/lib/one_gadget/builds/libc-2.22-20d1cd3333f60c045ee0d71cd32ac74a6b721b85.rb +++ b/lib/one_gadget/builds/libc-2.22-20d1cd3333f60c045ee0d71cd32ac74a6b721b85.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240454, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240456, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240460, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240467, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240502, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240503, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 396729, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-22585efc70794668f1b7f01f4392daef49f476e0.rb b/lib/one_gadget/builds/libc-2.22-22585efc70794668f1b7f01f4392daef49f476e0.rb index 0006692b..a39527ba 100644 --- a/lib/one_gadget/builds/libc-2.22-22585efc70794668f1b7f01f4392daef49f476e0.rb +++ b/lib/one_gadget/builds/libc-2.22-22585efc70794668f1b7f01f4392daef49f476e0.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-263aaed35e720148fbc396f8311138d46d099d7e.rb b/lib/one_gadget/builds/libc-2.22-263aaed35e720148fbc396f8311138d46d099d7e.rb index 755a1d4c..408f73d9 100644 --- a/lib/one_gadget/builds/libc-2.22-263aaed35e720148fbc396f8311138d46d099d7e.rb +++ b/lib/one_gadget/builds/libc-2.22-263aaed35e720148fbc396f8311138d46d099d7e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233093, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233095, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233099, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233106, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233141, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233142, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393487, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-26ce2dab7bee96ee1c9d290100ffae593a644ddf.rb b/lib/one_gadget/builds/libc-2.22-26ce2dab7bee96ee1c9d290100ffae593a644ddf.rb index 74d02d17..47fe745e 100644 --- a/lib/one_gadget/builds/libc-2.22-26ce2dab7bee96ee1c9d290100ffae593a644ddf.rb +++ b/lib/one_gadget/builds/libc-2.22-26ce2dab7bee96ee1c9d290100ffae593a644ddf.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 437040, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 437059, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 437061, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 437065, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 437066, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596336, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-2881424e7394f45d7b7e4b9d7bee0ac3336fb53c.rb b/lib/one_gadget/builds/libc-2.22-2881424e7394f45d7b7e4b9d7bee0ac3336fb53c.rb index ddc3bb34..11f04d30 100644 --- a/lib/one_gadget/builds/libc-2.22-2881424e7394f45d7b7e4b9d7bee0ac3336fb53c.rb +++ b/lib/one_gadget/builds/libc-2.22-2881424e7394f45d7b7e4b9d7bee0ac3336fb53c.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436064, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436083, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436085, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436089, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436090, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596016, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-291a696d50e945b55f27ad1b7055adb4d94d611e.rb b/lib/one_gadget/builds/libc-2.22-291a696d50e945b55f27ad1b7055adb4d94d611e.rb index 49d1be29..b0462064 100644 --- a/lib/one_gadget/builds/libc-2.22-291a696d50e945b55f27ad1b7055adb4d94d611e.rb +++ b/lib/one_gadget/builds/libc-2.22-291a696d50e945b55f27ad1b7055adb4d94d611e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240088, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240090, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240094, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240101, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240136, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240137, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400131, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-2da1c94523e9778bedccac2922cdb5582b3bab99.rb b/lib/one_gadget/builds/libc-2.22-2da1c94523e9778bedccac2922cdb5582b3bab99.rb index b62f8b09..621a25a4 100644 --- a/lib/one_gadget/builds/libc-2.22-2da1c94523e9778bedccac2922cdb5582b3bab99.rb +++ b/lib/one_gadget/builds/libc-2.22-2da1c94523e9778bedccac2922cdb5582b3bab99.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240312, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240314, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240318, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240325, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240360, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240361, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 399379, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-34701c7aa9501f113595ba20117d03fbab4a7edf.rb b/lib/one_gadget/builds/libc-2.22-34701c7aa9501f113595ba20117d03fbab4a7edf.rb index 2e8ae24b..3f2b03fc 100644 --- a/lib/one_gadget/builds/libc-2.22-34701c7aa9501f113595ba20117d03fbab4a7edf.rb +++ b/lib/one_gadget/builds/libc-2.22-34701c7aa9501f113595ba20117d03fbab4a7edf.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259855, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259862, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259946, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759479, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759688, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 882007, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 882019, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896945, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-34a1e432068988d1d05ded9a1ff3a5a4d9ba957d.rb b/lib/one_gadget/builds/libc-2.22-34a1e432068988d1d05ded9a1ff3a5a4d9ba957d.rb index 14b425d4..1b9bc3dd 100644 --- a/lib/one_gadget/builds/libc-2.22-34a1e432068988d1d05ded9a1ff3a5a4d9ba957d.rb +++ b/lib/one_gadget/builds/libc-2.22-34a1e432068988d1d05ded9a1ff3a5a4d9ba957d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-35dad9bbfda68f466fdb0784359dfa8be8f2e636.rb b/lib/one_gadget/builds/libc-2.22-35dad9bbfda68f466fdb0784359dfa8be8f2e636.rb index 0e0dc361..552bcbab 100644 --- a/lib/one_gadget/builds/libc-2.22-35dad9bbfda68f466fdb0784359dfa8be8f2e636.rb +++ b/lib/one_gadget/builds/libc-2.22-35dad9bbfda68f466fdb0784359dfa8be8f2e636.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 232725, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 232727, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 232731, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 232738, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 232773, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 232774, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393487, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-372f377ce426f864bf68f2a32cd703d595664885.rb b/lib/one_gadget/builds/libc-2.22-372f377ce426f864bf68f2a32cd703d595664885.rb index abff32d3..b210b0ee 100644 --- a/lib/one_gadget/builds/libc-2.22-372f377ce426f864bf68f2a32cd703d595664885.rb +++ b/lib/one_gadget/builds/libc-2.22-372f377ce426f864bf68f2a32cd703d595664885.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233093, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233095, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233099, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233106, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233141, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233142, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393535, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-37acef3594b4fbe5bdb37cfab88155ea223bac9d.rb b/lib/one_gadget/builds/libc-2.22-37acef3594b4fbe5bdb37cfab88155ea223bac9d.rb index 0a901888..498b6b10 100644 --- a/lib/one_gadget/builds/libc-2.22-37acef3594b4fbe5bdb37cfab88155ea223bac9d.rb +++ b/lib/one_gadget/builds/libc-2.22-37acef3594b4fbe5bdb37cfab88155ea223bac9d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-3d8a83ac6553abcf5e18c10a39e5020352cf1fb2.rb b/lib/one_gadget/builds/libc-2.22-3d8a83ac6553abcf5e18c10a39e5020352cf1fb2.rb index b10e9750..4316f1a6 100644 --- a/lib/one_gadget/builds/libc-2.22-3d8a83ac6553abcf5e18c10a39e5020352cf1fb2.rb +++ b/lib/one_gadget/builds/libc-2.22-3d8a83ac6553abcf5e18c10a39e5020352cf1fb2.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240104, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240106, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240110, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240117, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240152, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240153, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400195, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-3e86d1920edbc9fb506c499301164f3920a3e141.rb b/lib/one_gadget/builds/libc-2.22-3e86d1920edbc9fb506c499301164f3920a3e141.rb index 67900435..c14b2912 100644 --- a/lib/one_gadget/builds/libc-2.22-3e86d1920edbc9fb506c499301164f3920a3e141.rb +++ b/lib/one_gadget/builds/libc-2.22-3e86d1920edbc9fb506c499301164f3920a3e141.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240470, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240472, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240476, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240483, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240518, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240519, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 396745, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-461f342f6e88de1977eb60aecd9554335b3602be.rb b/lib/one_gadget/builds/libc-2.22-461f342f6e88de1977eb60aecd9554335b3602be.rb index 9a07e763..51cd5534 100644 --- a/lib/one_gadget/builds/libc-2.22-461f342f6e88de1977eb60aecd9554335b3602be.rb +++ b/lib/one_gadget/builds/libc-2.22-461f342f6e88de1977eb60aecd9554335b3602be.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254130, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254137, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254221, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706983, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 707192, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 835315, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 835327, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 849793, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-49c585626bc777823124cce965150be221723855.rb b/lib/one_gadget/builds/libc-2.22-49c585626bc777823124cce965150be221723855.rb index 3e29e369..5cafa1f2 100644 --- a/lib/one_gadget/builds/libc-2.22-49c585626bc777823124cce965150be221723855.rb +++ b/lib/one_gadget/builds/libc-2.22-49c585626bc777823124cce965150be221723855.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240088, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240090, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240094, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240101, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240136, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240137, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400131, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-4bccfeb62282482e2bb5fe47523cc26cc9891d9d.rb b/lib/one_gadget/builds/libc-2.22-4bccfeb62282482e2bb5fe47523cc26cc9891d9d.rb index 71f5b53a..5e2827ee 100644 --- a/lib/one_gadget/builds/libc-2.22-4bccfeb62282482e2bb5fe47523cc26cc9891d9d.rb +++ b/lib/one_gadget/builds/libc-2.22-4bccfeb62282482e2bb5fe47523cc26cc9891d9d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240120, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240122, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240133, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240168, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240169, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400211, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-4e7b4e6104632c48765f27c7e53ce073c73b03c2.rb b/lib/one_gadget/builds/libc-2.22-4e7b4e6104632c48765f27c7e53ce073c73b03c2.rb index e959eca1..cae897d8 100644 --- a/lib/one_gadget/builds/libc-2.22-4e7b4e6104632c48765f27c7e53ce073c73b03c2.rb +++ b/lib/one_gadget/builds/libc-2.22-4e7b4e6104632c48765f27c7e53ce073c73b03c2.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393503, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-515163d8d5ee351c62d0ef6438b1cb492b882128.rb b/lib/one_gadget/builds/libc-2.22-515163d8d5ee351c62d0ef6438b1cb492b882128.rb index b8bed64d..da7475f0 100644 --- a/lib/one_gadget/builds/libc-2.22-515163d8d5ee351c62d0ef6438b1cb492b882128.rb +++ b/lib/one_gadget/builds/libc-2.22-515163d8d5ee351c62d0ef6438b1cb492b882128.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 232597, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 232599, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 232603, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 232610, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 232645, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 232646, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393151, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-53e3e8ce017c356969e16f4bb329fc45e948a045.rb b/lib/one_gadget/builds/libc-2.22-53e3e8ce017c356969e16f4bb329fc45e948a045.rb index 3f48de6b..539fbd73 100644 --- a/lib/one_gadget/builds/libc-2.22-53e3e8ce017c356969e16f4bb329fc45e948a045.rb +++ b/lib/one_gadget/builds/libc-2.22-53e3e8ce017c356969e16f4bb329fc45e948a045.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259407, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259414, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259498, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759543, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759752, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881159, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881171, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895921, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-5f40eb5a5f32b9824ba0cb2547ffb2b6964f6414.rb b/lib/one_gadget/builds/libc-2.22-5f40eb5a5f32b9824ba0cb2547ffb2b6964f6414.rb index 683729cf..b7aefb98 100644 --- a/lib/one_gadget/builds/libc-2.22-5f40eb5a5f32b9824ba0cb2547ffb2b6964f6414.rb +++ b/lib/one_gadget/builds/libc-2.22-5f40eb5a5f32b9824ba0cb2547ffb2b6964f6414.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254130, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254137, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254221, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706983, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 707192, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 835315, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 835327, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 849793, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-6281300a16a309db14773233ab085dadc65f0081.rb b/lib/one_gadget/builds/libc-2.22-6281300a16a309db14773233ab085dadc65f0081.rb index d251a7fb..0f3253cd 100644 --- a/lib/one_gadget/builds/libc-2.22-6281300a16a309db14773233ab085dadc65f0081.rb +++ b/lib/one_gadget/builds/libc-2.22-6281300a16a309db14773233ab085dadc65f0081.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240120, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240122, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240133, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240168, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240169, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400211, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-6293d42412b9a87b7233bcb5f5cbf4496c8c90dd.rb b/lib/one_gadget/builds/libc-2.22-6293d42412b9a87b7233bcb5f5cbf4496c8c90dd.rb index 12a448e4..bafd0480 100644 --- a/lib/one_gadget/builds/libc-2.22-6293d42412b9a87b7233bcb5f5cbf4496c8c90dd.rb +++ b/lib/one_gadget/builds/libc-2.22-6293d42412b9a87b7233bcb5f5cbf4496c8c90dd.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240991, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240993, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240997, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241004, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241039, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241040, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401687, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-661a81563d20e7823c63828ff38348ec1b80adcc.rb b/lib/one_gadget/builds/libc-2.22-661a81563d20e7823c63828ff38348ec1b80adcc.rb index ce6aa440..748be09e 100644 --- a/lib/one_gadget/builds/libc-2.22-661a81563d20e7823c63828ff38348ec1b80adcc.rb +++ b/lib/one_gadget/builds/libc-2.22-661a81563d20e7823c63828ff38348ec1b80adcc.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-6670937bc44571ec34ab812a7a7d2ce839a382ad.rb b/lib/one_gadget/builds/libc-2.22-6670937bc44571ec34ab812a7a7d2ce839a382ad.rb index 8cfaecad..59999121 100644 --- a/lib/one_gadget/builds/libc-2.22-6670937bc44571ec34ab812a7a7d2ce839a382ad.rb +++ b/lib/one_gadget/builds/libc-2.22-6670937bc44571ec34ab812a7a7d2ce839a382ad.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-669abe13c2975dbdc59eb4cf3a6e9bd28ecd376c.rb b/lib/one_gadget/builds/libc-2.22-669abe13c2975dbdc59eb4cf3a6e9bd28ecd376c.rb index e4345da5..09a6ee5a 100644 --- a/lib/one_gadget/builds/libc-2.22-669abe13c2975dbdc59eb4cf3a6e9bd28ecd376c.rb +++ b/lib/one_gadget/builds/libc-2.22-669abe13c2975dbdc59eb4cf3a6e9bd28ecd376c.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240120, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240122, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240133, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240168, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240169, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400163, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-66b3470fd1603fc11a54f8f1c69b81d85f2f0074.rb b/lib/one_gadget/builds/libc-2.22-66b3470fd1603fc11a54f8f1c69b81d85f2f0074.rb index a72b6287..0310ec57 100644 --- a/lib/one_gadget/builds/libc-2.22-66b3470fd1603fc11a54f8f1c69b81d85f2f0074.rb +++ b/lib/one_gadget/builds/libc-2.22-66b3470fd1603fc11a54f8f1c69b81d85f2f0074.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259439, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259446, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259530, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759175, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759384, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881287, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881299, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896049, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-67222017b4ae03b81a41387cb81b0814654e2dd6.rb b/lib/one_gadget/builds/libc-2.22-67222017b4ae03b81a41387cb81b0814654e2dd6.rb index ed3b2807..e73f8735 100644 --- a/lib/one_gadget/builds/libc-2.22-67222017b4ae03b81a41387cb81b0814654e2dd6.rb +++ b/lib/one_gadget/builds/libc-2.22-67222017b4ae03b81a41387cb81b0814654e2dd6.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260063, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260070, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260154, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759015, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759224, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881367, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881379, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896305, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-6758f608b9326b54464784a72149d9991ce839d1.rb b/lib/one_gadget/builds/libc-2.22-6758f608b9326b54464784a72149d9991ce839d1.rb index 0cec829d..aa8efd3a 100644 --- a/lib/one_gadget/builds/libc-2.22-6758f608b9326b54464784a72149d9991ce839d1.rb +++ b/lib/one_gadget/builds/libc-2.22-6758f608b9326b54464784a72149d9991ce839d1.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254162, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254169, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254253, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706647, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 706856, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 835395, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 835407, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 849873, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-68afe0b2e7d234d495d38ec6bf35257a42f229de.rb b/lib/one_gadget/builds/libc-2.22-68afe0b2e7d234d495d38ec6bf35257a42f229de.rb index e080425c..0e659d55 100644 --- a/lib/one_gadget/builds/libc-2.22-68afe0b2e7d234d495d38ec6bf35257a42f229de.rb +++ b/lib/one_gadget/builds/libc-2.22-68afe0b2e7d234d495d38ec6bf35257a42f229de.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240104, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240106, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240110, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240117, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240152, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240153, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400147, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-695c07ac1193aad1d8ee9871ee425e5653408a4d.rb b/lib/one_gadget/builds/libc-2.22-695c07ac1193aad1d8ee9871ee425e5653408a4d.rb index 02031ff7..c64a4f4b 100644 --- a/lib/one_gadget/builds/libc-2.22-695c07ac1193aad1d8ee9871ee425e5653408a4d.rb +++ b/lib/one_gadget/builds/libc-2.22-695c07ac1193aad1d8ee9871ee425e5653408a4d.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259439, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259446, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259530, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759079, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759288, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881191, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881203, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896001, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-6c9019c65a7a835172e1e88ca2f88d1f14fb23e1.rb b/lib/one_gadget/builds/libc-2.22-6c9019c65a7a835172e1e88ca2f88d1f14fb23e1.rb index 2ddf0c38..eebcc3ee 100644 --- a/lib/one_gadget/builds/libc-2.22-6c9019c65a7a835172e1e88ca2f88d1f14fb23e1.rb +++ b/lib/one_gadget/builds/libc-2.22-6c9019c65a7a835172e1e88ca2f88d1f14fb23e1.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240120, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240122, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240133, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240168, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240169, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400163, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-765dbc5efb8e378d36cd0742b6e5a65bd9046168.rb b/lib/one_gadget/builds/libc-2.22-765dbc5efb8e378d36cd0742b6e5a65bd9046168.rb index 710ec25b..8db3ea21 100644 --- a/lib/one_gadget/builds/libc-2.22-765dbc5efb8e378d36cd0742b6e5a65bd9046168.rb +++ b/lib/one_gadget/builds/libc-2.22-765dbc5efb8e378d36cd0742b6e5a65bd9046168.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259503, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259510, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259594, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759031, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759240, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881367, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881379, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896305, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-775336aa55e307ff5c730b375f8220b85ede2e34.rb b/lib/one_gadget/builds/libc-2.22-775336aa55e307ff5c730b375f8220b85ede2e34.rb index 2799f74b..ad976540 100644 --- a/lib/one_gadget/builds/libc-2.22-775336aa55e307ff5c730b375f8220b85ede2e34.rb +++ b/lib/one_gadget/builds/libc-2.22-775336aa55e307ff5c730b375f8220b85ede2e34.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240088, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240090, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240094, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240101, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240136, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240137, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400131, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-7d3f57aba43d34ae3cfab2df04a3050efbd1dfed.rb b/lib/one_gadget/builds/libc-2.22-7d3f57aba43d34ae3cfab2df04a3050efbd1dfed.rb index 686d083b..646e4f4a 100644 --- a/lib/one_gadget/builds/libc-2.22-7d3f57aba43d34ae3cfab2df04a3050efbd1dfed.rb +++ b/lib/one_gadget/builds/libc-2.22-7d3f57aba43d34ae3cfab2df04a3050efbd1dfed.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259439, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259446, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259530, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759079, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759288, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881191, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881203, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896001, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-84681ac612616253b2eb8e99e1b68836b7d68cac.rb b/lib/one_gadget/builds/libc-2.22-84681ac612616253b2eb8e99e1b68836b7d68cac.rb index e8a462bd..5d8733b1 100644 --- a/lib/one_gadget/builds/libc-2.22-84681ac612616253b2eb8e99e1b68836b7d68cac.rb +++ b/lib/one_gadget/builds/libc-2.22-84681ac612616253b2eb8e99e1b68836b7d68cac.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-87066f8392926c00ab4a5969f52aade616c1e314.rb b/lib/one_gadget/builds/libc-2.22-87066f8392926c00ab4a5969f52aade616c1e314.rb index 37e517d8..d6cc4953 100644 --- a/lib/one_gadget/builds/libc-2.22-87066f8392926c00ab4a5969f52aade616c1e314.rb +++ b/lib/one_gadget/builds/libc-2.22-87066f8392926c00ab4a5969f52aade616c1e314.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240088, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240090, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240094, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240101, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240136, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240137, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400131, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-871cd1cac63b0dcd8f2cdd231291f9f89fe7c099.rb b/lib/one_gadget/builds/libc-2.22-871cd1cac63b0dcd8f2cdd231291f9f89fe7c099.rb index 537270bb..31efb7e4 100644 --- a/lib/one_gadget/builds/libc-2.22-871cd1cac63b0dcd8f2cdd231291f9f89fe7c099.rb +++ b/lib/one_gadget/builds/libc-2.22-871cd1cac63b0dcd8f2cdd231291f9f89fe7c099.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240024, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240026, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240030, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240037, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240072, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240073, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 399107, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-87e1ed146ef347cf326650e230524a6c8d4ed43d.rb b/lib/one_gadget/builds/libc-2.22-87e1ed146ef347cf326650e230524a6c8d4ed43d.rb index a6f2712b..f1689f18 100644 --- a/lib/one_gadget/builds/libc-2.22-87e1ed146ef347cf326650e230524a6c8d4ed43d.rb +++ b/lib/one_gadget/builds/libc-2.22-87e1ed146ef347cf326650e230524a6c8d4ed43d.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 260303, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260310, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 260394, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 760752, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 760972, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 882925, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 882937, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 898257, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-8c48d3a9f8dea201de2948aa7f78c6a42ffa47cf.rb b/lib/one_gadget/builds/libc-2.22-8c48d3a9f8dea201de2948aa7f78c6a42ffa47cf.rb index 682a5da2..f1b96845 100644 --- a/lib/one_gadget/builds/libc-2.22-8c48d3a9f8dea201de2948aa7f78c6a42ffa47cf.rb +++ b/lib/one_gadget/builds/libc-2.22-8c48d3a9f8dea201de2948aa7f78c6a42ffa47cf.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259471, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259478, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259562, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759607, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759816, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881223, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881235, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895985, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-916b3d65c4f43150dea643a905c1a2a68efc3fb6.rb b/lib/one_gadget/builds/libc-2.22-916b3d65c4f43150dea643a905c1a2a68efc3fb6.rb index 73c836e7..3d4fe145 100644 --- a/lib/one_gadget/builds/libc-2.22-916b3d65c4f43150dea643a905c1a2a68efc3fb6.rb +++ b/lib/one_gadget/builds/libc-2.22-916b3d65c4f43150dea643a905c1a2a68efc3fb6.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240104, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240106, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240110, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240117, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240152, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240153, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400147, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-91dee95c3183246a5332357b814a08ba9c05d999.rb b/lib/one_gadget/builds/libc-2.22-91dee95c3183246a5332357b814a08ba9c05d999.rb index 9b4a108f..035a8baf 100644 --- a/lib/one_gadget/builds/libc-2.22-91dee95c3183246a5332357b814a08ba9c05d999.rb +++ b/lib/one_gadget/builds/libc-2.22-91dee95c3183246a5332357b814a08ba9c05d999.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233093, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233095, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233099, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233106, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233141, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233142, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393535, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-91fcf48a9dd99f320b205a2feef18c2edfdbaeba.rb b/lib/one_gadget/builds/libc-2.22-91fcf48a9dd99f320b205a2feef18c2edfdbaeba.rb index 605400ce..8bc90d7a 100644 --- a/lib/one_gadget/builds/libc-2.22-91fcf48a9dd99f320b205a2feef18c2edfdbaeba.rb +++ b/lib/one_gadget/builds/libc-2.22-91fcf48a9dd99f320b205a2feef18c2edfdbaeba.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436064, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436083, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436085, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436089, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436090, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596016, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-92f57ef98cf5dc8e4d6b5df5cd1b9260b7e9975a.rb b/lib/one_gadget/builds/libc-2.22-92f57ef98cf5dc8e4d6b5df5cd1b9260b7e9975a.rb index bad37c81..b6a621c8 100644 --- a/lib/one_gadget/builds/libc-2.22-92f57ef98cf5dc8e4d6b5df5cd1b9260b7e9975a.rb +++ b/lib/one_gadget/builds/libc-2.22-92f57ef98cf5dc8e4d6b5df5cd1b9260b7e9975a.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254162, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254169, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254253, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706647, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 706856, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 835395, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 835407, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 849873, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-94075f4ca5cff8f90934c9e1706db8022e7d4ba1.rb b/lib/one_gadget/builds/libc-2.22-94075f4ca5cff8f90934c9e1706db8022e7d4ba1.rb index 4c7ba57f..f157e7f1 100644 --- a/lib/one_gadget/builds/libc-2.22-94075f4ca5cff8f90934c9e1706db8022e7d4ba1.rb +++ b/lib/one_gadget/builds/libc-2.22-94075f4ca5cff8f90934c9e1706db8022e7d4ba1.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259407, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259414, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259498, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759543, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759752, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881159, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881171, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895921, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-94140487ddd020e65cb6c3f9ae09275ca91dc47c.rb b/lib/one_gadget/builds/libc-2.22-94140487ddd020e65cb6c3f9ae09275ca91dc47c.rb index 403b0670..a2643f63 100644 --- a/lib/one_gadget/builds/libc-2.22-94140487ddd020e65cb6c3f9ae09275ca91dc47c.rb +++ b/lib/one_gadget/builds/libc-2.22-94140487ddd020e65cb6c3f9ae09275ca91dc47c.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254130, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254137, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254221, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706983, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 707192, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 835315, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 835327, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 849793, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-94b271ac2dedc103ec8d042bb40a418a042dceb9.rb b/lib/one_gadget/builds/libc-2.22-94b271ac2dedc103ec8d042bb40a418a042dceb9.rb index be8c06e5..99b11837 100644 --- a/lib/one_gadget/builds/libc-2.22-94b271ac2dedc103ec8d042bb40a418a042dceb9.rb +++ b/lib/one_gadget/builds/libc-2.22-94b271ac2dedc103ec8d042bb40a418a042dceb9.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436064, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436083, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436085, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436089, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436090, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596016, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-9686e55d792fbbcc0ae8589a69c8b15d2444ac65.rb b/lib/one_gadget/builds/libc-2.22-9686e55d792fbbcc0ae8589a69c8b15d2444ac65.rb index 8941f5de..3cd9b325 100644 --- a/lib/one_gadget/builds/libc-2.22-9686e55d792fbbcc0ae8589a69c8b15d2444ac65.rb +++ b/lib/one_gadget/builds/libc-2.22-9686e55d792fbbcc0ae8589a69c8b15d2444ac65.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233093, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233095, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233099, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233106, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233141, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233142, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393535, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-a352f9564e9d19391f222c67e5c64e09f949df4e.rb b/lib/one_gadget/builds/libc-2.22-a352f9564e9d19391f222c67e5c64e09f949df4e.rb index ddd0eb17..77d954a9 100644 --- a/lib/one_gadget/builds/libc-2.22-a352f9564e9d19391f222c67e5c64e09f949df4e.rb +++ b/lib/one_gadget/builds/libc-2.22-a352f9564e9d19391f222c67e5c64e09f949df4e.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436864, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436883, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436885, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436889, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436890, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596160, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-a506f6e38353adbb19bd22872b2fa8831c32c63d.rb b/lib/one_gadget/builds/libc-2.22-a506f6e38353adbb19bd22872b2fa8831c32c63d.rb index af34317a..ef034e8a 100644 --- a/lib/one_gadget/builds/libc-2.22-a506f6e38353adbb19bd22872b2fa8831c32c63d.rb +++ b/lib/one_gadget/builds/libc-2.22-a506f6e38353adbb19bd22872b2fa8831c32c63d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240104, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240106, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240110, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240117, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240152, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240153, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400147, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-a5a6daa9eb710b5fc311bdd17696bb25e98d9dab.rb b/lib/one_gadget/builds/libc-2.22-a5a6daa9eb710b5fc311bdd17696bb25e98d9dab.rb index e8772b38..784ea9c6 100644 --- a/lib/one_gadget/builds/libc-2.22-a5a6daa9eb710b5fc311bdd17696bb25e98d9dab.rb +++ b/lib/one_gadget/builds/libc-2.22-a5a6daa9eb710b5fc311bdd17696bb25e98d9dab.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259439, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259446, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259530, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759079, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759288, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881191, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881203, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896001, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-a61e9f882f22a77b803a1fa28912b2636913ea56.rb b/lib/one_gadget/builds/libc-2.22-a61e9f882f22a77b803a1fa28912b2636913ea56.rb index 48fd0704..bd2a717d 100644 --- a/lib/one_gadget/builds/libc-2.22-a61e9f882f22a77b803a1fa28912b2636913ea56.rb +++ b/lib/one_gadget/builds/libc-2.22-a61e9f882f22a77b803a1fa28912b2636913ea56.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240120, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240122, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240133, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240168, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240169, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400163, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-ac771fb8769897775bb6df04fe982d7a79684c8a.rb b/lib/one_gadget/builds/libc-2.22-ac771fb8769897775bb6df04fe982d7a79684c8a.rb index 18db3524..fff80ae4 100644 --- a/lib/one_gadget/builds/libc-2.22-ac771fb8769897775bb6df04fe982d7a79684c8a.rb +++ b/lib/one_gadget/builds/libc-2.22-ac771fb8769897775bb6df04fe982d7a79684c8a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 232725, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 232727, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 232731, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 232738, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 232773, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 232774, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393487, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-b213a4604fc2c8fd113ae890a97c3c2ad4022ceb.rb b/lib/one_gadget/builds/libc-2.22-b213a4604fc2c8fd113ae890a97c3c2ad4022ceb.rb index f23bf8ce..c9e22b01 100644 --- a/lib/one_gadget/builds/libc-2.22-b213a4604fc2c8fd113ae890a97c3c2ad4022ceb.rb +++ b/lib/one_gadget/builds/libc-2.22-b213a4604fc2c8fd113ae890a97c3c2ad4022ceb.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb b/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb index 2541e322..8170bf70 100644 --- a/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb +++ b/lib/one_gadget/builds/libc-2.22-b916e3c1d80069d0209f6376b33e42b75ec49eda.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241007, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241009, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241013, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241020, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241055, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241056, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401703, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-b941d9b157b159697c7cbfa154c410b23be1a7af.rb b/lib/one_gadget/builds/libc-2.22-b941d9b157b159697c7cbfa154c410b23be1a7af.rb index d240595d..9f2c9837 100644 --- a/lib/one_gadget/builds/libc-2.22-b941d9b157b159697c7cbfa154c410b23be1a7af.rb +++ b/lib/one_gadget/builds/libc-2.22-b941d9b157b159697c7cbfa154c410b23be1a7af.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436064, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436083, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436085, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436089, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436090, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 595920, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-bdbc01430dbd0c80011dea9852f3ae257bcf3138.rb b/lib/one_gadget/builds/libc-2.22-bdbc01430dbd0c80011dea9852f3ae257bcf3138.rb index 588abc34..9f1a6a02 100644 --- a/lib/one_gadget/builds/libc-2.22-bdbc01430dbd0c80011dea9852f3ae257bcf3138.rb +++ b/lib/one_gadget/builds/libc-2.22-bdbc01430dbd0c80011dea9852f3ae257bcf3138.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254162, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254169, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254253, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706647, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 706856, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 835395, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 835407, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 849873, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-bfdfa3833107e0041ab896c1dbfd0a4f1c4fec77.rb b/lib/one_gadget/builds/libc-2.22-bfdfa3833107e0041ab896c1dbfd0a4f1c4fec77.rb index ae339c37..b855fba9 100644 --- a/lib/one_gadget/builds/libc-2.22-bfdfa3833107e0041ab896c1dbfd0a4f1c4fec77.rb +++ b/lib/one_gadget/builds/libc-2.22-bfdfa3833107e0041ab896c1dbfd0a4f1c4fec77.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240120, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240122, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240133, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240168, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240169, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400163, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-c2931cdba68412c1b871f960b4005f70847b29c3.rb b/lib/one_gadget/builds/libc-2.22-c2931cdba68412c1b871f960b4005f70847b29c3.rb index 2072046b..9c0f5f2e 100644 --- a/lib/one_gadget/builds/libc-2.22-c2931cdba68412c1b871f960b4005f70847b29c3.rb +++ b/lib/one_gadget/builds/libc-2.22-c2931cdba68412c1b871f960b4005f70847b29c3.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240120, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240122, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240133, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240168, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240169, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400163, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-c65d9bac0e2687bd08337088466a686c40479e5d.rb b/lib/one_gadget/builds/libc-2.22-c65d9bac0e2687bd08337088466a686c40479e5d.rb index f30b09f4..b78ed650 100644 --- a/lib/one_gadget/builds/libc-2.22-c65d9bac0e2687bd08337088466a686c40479e5d.rb +++ b/lib/one_gadget/builds/libc-2.22-c65d9bac0e2687bd08337088466a686c40479e5d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 232997, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 232999, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233003, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233010, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233045, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233046, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 392527, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-c6799f7a3df15cf4c4b5c273686e7cb3283e0337.rb b/lib/one_gadget/builds/libc-2.22-c6799f7a3df15cf4c4b5c273686e7cb3283e0337.rb index 44632c3a..5ce1f7b6 100644 --- a/lib/one_gadget/builds/libc-2.22-c6799f7a3df15cf4c4b5c273686e7cb3283e0337.rb +++ b/lib/one_gadget/builds/libc-2.22-c6799f7a3df15cf4c4b5c273686e7cb3283e0337.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240104, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240106, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240110, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240117, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240152, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240153, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400147, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-cb354ede0283a824c81183b1ffb6add90255edb6.rb b/lib/one_gadget/builds/libc-2.22-cb354ede0283a824c81183b1ffb6add90255edb6.rb index d0a4184a..3e55a372 100644 --- a/lib/one_gadget/builds/libc-2.22-cb354ede0283a824c81183b1ffb6add90255edb6.rb +++ b/lib/one_gadget/builds/libc-2.22-cb354ede0283a824c81183b1ffb6add90255edb6.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240104, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240106, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240110, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240117, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240152, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240153, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400147, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-cee6e82b12f7c94f715fc96dcd4544a44997dbb5.rb b/lib/one_gadget/builds/libc-2.22-cee6e82b12f7c94f715fc96dcd4544a44997dbb5.rb index dd39cbbd..1ac6eedd 100644 --- a/lib/one_gadget/builds/libc-2.22-cee6e82b12f7c94f715fc96dcd4544a44997dbb5.rb +++ b/lib/one_gadget/builds/libc-2.22-cee6e82b12f7c94f715fc96dcd4544a44997dbb5.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 232725, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 232727, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 232731, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 232738, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 232773, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 232774, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393407, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-d0516d4ba12ccc659906a5f122f8637279970bf4.rb b/lib/one_gadget/builds/libc-2.22-d0516d4ba12ccc659906a5f122f8637279970bf4.rb index 8a1f68de..e4823896 100644 --- a/lib/one_gadget/builds/libc-2.22-d0516d4ba12ccc659906a5f122f8637279970bf4.rb +++ b/lib/one_gadget/builds/libc-2.22-d0516d4ba12ccc659906a5f122f8637279970bf4.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240088, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240090, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240094, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240101, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240136, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240137, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400131, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-d088eee45f6cbd649b53ae99b68a91823d86c6d6.rb b/lib/one_gadget/builds/libc-2.22-d088eee45f6cbd649b53ae99b68a91823d86c6d6.rb index f2913581..ef9def6d 100644 --- a/lib/one_gadget/builds/libc-2.22-d088eee45f6cbd649b53ae99b68a91823d86c6d6.rb +++ b/lib/one_gadget/builds/libc-2.22-d088eee45f6cbd649b53ae99b68a91823d86c6d6.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-dcc06a908986f225fded745f7f884bf50fd5b434.rb b/lib/one_gadget/builds/libc-2.22-dcc06a908986f225fded745f7f884bf50fd5b434.rb index 830ab54e..f66c123e 100644 --- a/lib/one_gadget/builds/libc-2.22-dcc06a908986f225fded745f7f884bf50fd5b434.rb +++ b/lib/one_gadget/builds/libc-2.22-dcc06a908986f225fded745f7f884bf50fd5b434.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436064, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436083, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436085, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436089, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436090, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 595920, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-dd900e0adc14d176fe33f2b6e5d8dbe2bacb48d0.rb b/lib/one_gadget/builds/libc-2.22-dd900e0adc14d176fe33f2b6e5d8dbe2bacb48d0.rb index a8165d5e..6e0b0815 100644 --- a/lib/one_gadget/builds/libc-2.22-dd900e0adc14d176fe33f2b6e5d8dbe2bacb48d0.rb +++ b/lib/one_gadget/builds/libc-2.22-dd900e0adc14d176fe33f2b6e5d8dbe2bacb48d0.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259439, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259446, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259530, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759175, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759384, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881287, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881299, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896049, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-e1d7f9459324fd489e82a931f9bbe3b10cfc4436.rb b/lib/one_gadget/builds/libc-2.22-e1d7f9459324fd489e82a931f9bbe3b10cfc4436.rb index 952dc97d..ee975cb8 100644 --- a/lib/one_gadget/builds/libc-2.22-e1d7f9459324fd489e82a931f9bbe3b10cfc4436.rb +++ b/lib/one_gadget/builds/libc-2.22-e1d7f9459324fd489e82a931f9bbe3b10cfc4436.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436960, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436979, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436981, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436985, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436986, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596256, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-e259f9732c7269eccd67dc7f8bbceded2a909972.rb b/lib/one_gadget/builds/libc-2.22-e259f9732c7269eccd67dc7f8bbceded2a909972.rb index 014d9a2f..08c20ff6 100644 --- a/lib/one_gadget/builds/libc-2.22-e259f9732c7269eccd67dc7f8bbceded2a909972.rb +++ b/lib/one_gadget/builds/libc-2.22-e259f9732c7269eccd67dc7f8bbceded2a909972.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240104, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240106, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240110, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240117, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240152, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240153, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400147, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-e7e6d42611b69819d39439c2ee93305f6305ed90.rb b/lib/one_gadget/builds/libc-2.22-e7e6d42611b69819d39439c2ee93305f6305ed90.rb index 91a5412d..f38dfdf2 100644 --- a/lib/one_gadget/builds/libc-2.22-e7e6d42611b69819d39439c2ee93305f6305ed90.rb +++ b/lib/one_gadget/builds/libc-2.22-e7e6d42611b69819d39439c2ee93305f6305ed90.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259327, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259334, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259418, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 758855, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759064, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881191, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881203, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896129, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-eb0fe6bc985d025bfeeb207924823e7c2c7a77e6.rb b/lib/one_gadget/builds/libc-2.22-eb0fe6bc985d025bfeeb207924823e7c2c7a77e6.rb index e49e2980..20a8e342 100644 --- a/lib/one_gadget/builds/libc-2.22-eb0fe6bc985d025bfeeb207924823e7c2c7a77e6.rb +++ b/lib/one_gadget/builds/libc-2.22-eb0fe6bc985d025bfeeb207924823e7c2c7a77e6.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254162, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254169, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254253, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706647, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 706856, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 835395, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 835407, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 849873, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-eb2c0cc31e0d158b487d1010b30fa7ed358fcbd7.rb b/lib/one_gadget/builds/libc-2.22-eb2c0cc31e0d158b487d1010b30fa7ed358fcbd7.rb index 3e9e12cf..05ead7bf 100644 --- a/lib/one_gadget/builds/libc-2.22-eb2c0cc31e0d158b487d1010b30fa7ed358fcbd7.rb +++ b/lib/one_gadget/builds/libc-2.22-eb2c0cc31e0d158b487d1010b30fa7ed358fcbd7.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436064, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436083, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436085, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436089, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436090, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 596016, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-ee60bf5cd327f0aa534fd8c37a8733e942707a0a.rb b/lib/one_gadget/builds/libc-2.22-ee60bf5cd327f0aa534fd8c37a8733e942707a0a.rb index 75e996dc..6157e657 100644 --- a/lib/one_gadget/builds/libc-2.22-ee60bf5cd327f0aa534fd8c37a8733e942707a0a.rb +++ b/lib/one_gadget/builds/libc-2.22-ee60bf5cd327f0aa534fd8c37a8733e942707a0a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-efd6084786349d5763237b1caeb3d5d9f61dce75.rb b/lib/one_gadget/builds/libc-2.22-efd6084786349d5763237b1caeb3d5d9f61dce75.rb index 87a9b7c0..3a3b639b 100644 --- a/lib/one_gadget/builds/libc-2.22-efd6084786349d5763237b1caeb3d5d9f61dce75.rb +++ b/lib/one_gadget/builds/libc-2.22-efd6084786349d5763237b1caeb3d5d9f61dce75.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259439, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259446, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259530, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759159, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759368, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881303, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881315, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 896065, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-f21f4b63fbd354522a1c37a982da46973b6a95ef.rb b/lib/one_gadget/builds/libc-2.22-f21f4b63fbd354522a1c37a982da46973b6a95ef.rb index e5296334..6594dd46 100644 --- a/lib/one_gadget/builds/libc-2.22-f21f4b63fbd354522a1c37a982da46973b6a95ef.rb +++ b/lib/one_gadget/builds/libc-2.22-f21f4b63fbd354522a1c37a982da46973b6a95ef.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240120, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240122, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240133, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240168, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240169, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 400163, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-f43f58b45b8c7fe20d3c3c9f812f50a7755615d3.rb b/lib/one_gadget/builds/libc-2.22-f43f58b45b8c7fe20d3c3c9f812f50a7755615d3.rb index e5398f79..ebc9f777 100644 --- a/lib/one_gadget/builds/libc-2.22-f43f58b45b8c7fe20d3c3c9f812f50a7755615d3.rb +++ b/lib/one_gadget/builds/libc-2.22-f43f58b45b8c7fe20d3c3c9f812f50a7755615d3.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259407, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259414, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259498, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 759543, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 759752, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 881159, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 881171, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 895921, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.22-fa6cf8c4105217d0cf2609ab83ec3c9d4d3c5d41.rb b/lib/one_gadget/builds/libc-2.22-fa6cf8c4105217d0cf2609ab83ec3c9d4d3c5d41.rb index b8291c41..3ab8511b 100644 --- a/lib/one_gadget/builds/libc-2.22-fa6cf8c4105217d0cf2609ab83ec3c9d4d3c5d41.rb +++ b/lib/one_gadget/builds/libc-2.22-fa6cf8c4105217d0cf2609ab83ec3c9d4d3c5d41.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233061, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233063, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233067, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233074, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233109, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233110, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393455, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-faef9af5a88432766d76d7da2cf961c75b6e0e0b.rb b/lib/one_gadget/builds/libc-2.22-faef9af5a88432766d76d7da2cf961c75b6e0e0b.rb index feebbe7e..d8cd8cce 100644 --- a/lib/one_gadget/builds/libc-2.22-faef9af5a88432766d76d7da2cf961c75b6e0e0b.rb +++ b/lib/one_gadget/builds/libc-2.22-faef9af5a88432766d76d7da2cf961c75b6e0e0b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240719, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240721, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240725, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240732, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240767, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240768, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401415, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.22-ff7fbdaaef014460825b4ef5848e86834aa3880c.rb b/lib/one_gadget/builds/libc-2.22-ff7fbdaaef014460825b4ef5848e86834aa3880c.rb index bcc17c26..ab290785 100644 --- a/lib/one_gadget/builds/libc-2.22-ff7fbdaaef014460825b4ef5848e86834aa3880c.rb +++ b/lib/one_gadget/builds/libc-2.22-ff7fbdaaef014460825b4ef5848e86834aa3880c.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 436064, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 436083, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 436085, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 436089, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 436090, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 595920, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-012683a92d161c37d51d89711c4870ba30904c3d.rb b/lib/one_gadget/builds/libc-2.23-012683a92d161c37d51d89711c4870ba30904c3d.rb index f75e976f..82219c1f 100644 --- a/lib/one_gadget/builds/libc-2.23-012683a92d161c37d51d89711c4870ba30904c3d.rb +++ b/lib/one_gadget/builds/libc-2.23-012683a92d161c37d51d89711c4870ba30904c3d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233301, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233303, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233307, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233314, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233349, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233350, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383199, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-088165fba081e659b7ea6463eab7bcac70363656.rb b/lib/one_gadget/builds/libc-2.23-088165fba081e659b7ea6463eab7bcac70363656.rb index 3c8fa9f6..eedd9280 100644 --- a/lib/one_gadget/builds/libc-2.23-088165fba081e659b7ea6463eab7bcac70363656.rb +++ b/lib/one_gadget/builds/libc-2.23-088165fba081e659b7ea6463eab7bcac70363656.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240412, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240414, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240418, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240425, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240460, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240461, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383157, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-0ae3de55854513a2a7d4979337176c0717efce8a.rb b/lib/one_gadget/builds/libc-2.23-0ae3de55854513a2a7d4979337176c0717efce8a.rb index d546a4ec..06bb1a28 100644 --- a/lib/one_gadget/builds/libc-2.23-0ae3de55854513a2a7d4979337176c0717efce8a.rb +++ b/lib/one_gadget/builds/libc-2.23-0ae3de55854513a2a7d4979337176c0717efce8a.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258975, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258982, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259066, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 752727, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 752936, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 874055, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874067, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 888817, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-0c23056feb23daf0cb1d2f90e153b5f892df83c6.rb b/lib/one_gadget/builds/libc-2.23-0c23056feb23daf0cb1d2f90e153b5f892df83c6.rb index 13964076..6566e2c0 100644 --- a/lib/one_gadget/builds/libc-2.23-0c23056feb23daf0cb1d2f90e153b5f892df83c6.rb +++ b/lib/one_gadget/builds/libc-2.23-0c23056feb23daf0cb1d2f90e153b5f892df83c6.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239388, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239390, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239394, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239401, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239436, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239437, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388917, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-11ae3441756e6c2ebf5c962434bf9f07b3ea3deb.rb b/lib/one_gadget/builds/libc-2.23-11ae3441756e6c2ebf5c962434bf9f07b3ea3deb.rb index 83dafd6a..202ee7b8 100644 --- a/lib/one_gadget/builds/libc-2.23-11ae3441756e6c2ebf5c962434bf9f07b3ea3deb.rb +++ b/lib/one_gadget/builds/libc-2.23-11ae3441756e6c2ebf5c962434bf9f07b3ea3deb.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233301, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233303, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233307, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233314, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233349, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233350, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383167, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-131c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb b/lib/one_gadget/builds/libc-2.23-131c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb index 4f8b1a0b..2b016f01 100644 --- a/lib/one_gadget/builds/libc-2.23-131c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb +++ b/lib/one_gadget/builds/libc-2.23-131c254aed46e6a24cb08f3abe802ea0ef50e5f9.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259231, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259238, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259322, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753543, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 753752, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 875399, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 875411, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 890161, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-1800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb b/lib/one_gadget/builds/libc-2.23-1800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb index 1c415b70..dfb44946 100644 --- a/lib/one_gadget/builds/libc-2.23-1800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb +++ b/lib/one_gadget/builds/libc-2.23-1800a4bdb0c42a7bb7a570ed90724fa04de8a4fe.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239644, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239646, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239650, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239657, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239692, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239693, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 389221, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-18f761287ed46e213bec29c2e440e73fd72373be.rb b/lib/one_gadget/builds/libc-2.23-18f761287ed46e213bec29c2e440e73fd72373be.rb index 8925d7e0..b9655e09 100644 --- a/lib/one_gadget/builds/libc-2.23-18f761287ed46e213bec29c2e440e73fd72373be.rb +++ b/lib/one_gadget/builds/libc-2.23-18f761287ed46e213bec29c2e440e73fd72373be.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240748, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240750, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240754, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240761, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240796, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240797, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 392149, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-1b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb b/lib/one_gadget/builds/libc-2.23-1b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb index d985412a..6da233a7 100644 --- a/lib/one_gadget/builds/libc-2.23-1b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb +++ b/lib/one_gadget/builds/libc-2.23-1b1d19add6d861e16e04e4b8e9864a7bc16c1327.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233317, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233319, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233323, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233330, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233365, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233366, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383183, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-1e80992437b5e1cb76bf56605ee8991e76e85f69.rb b/lib/one_gadget/builds/libc-2.23-1e80992437b5e1cb76bf56605ee8991e76e85f69.rb index c52c8fbd..e5a5cdc6 100644 --- a/lib/one_gadget/builds/libc-2.23-1e80992437b5e1cb76bf56605ee8991e76e85f69.rb +++ b/lib/one_gadget/builds/libc-2.23-1e80992437b5e1cb76bf56605ee8991e76e85f69.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 437664, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 437683, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 437685, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 437689, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 437690, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 584400, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-1f1cf1c7ff279aa37add352423fd850e06be1098.rb b/lib/one_gadget/builds/libc-2.23-1f1cf1c7ff279aa37add352423fd850e06be1098.rb index e5cf6234..67d6d9b4 100644 --- a/lib/one_gadget/builds/libc-2.23-1f1cf1c7ff279aa37add352423fd850e06be1098.rb +++ b/lib/one_gadget/builds/libc-2.23-1f1cf1c7ff279aa37add352423fd850e06be1098.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239452, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239454, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239458, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239465, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239500, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239501, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388789, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-233dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb b/lib/one_gadget/builds/libc-2.23-233dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb index 6ac16f6f..67007090 100644 --- a/lib/one_gadget/builds/libc-2.23-233dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb +++ b/lib/one_gadget/builds/libc-2.23-233dde1d38ecdc54bef352f1b5ee4e007ec9df26.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240716, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240718, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240722, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240729, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240764, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240765, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 390469, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-2891dc7656eed3d8d4f255c41ca6a28caf532079.rb b/lib/one_gadget/builds/libc-2.23-2891dc7656eed3d8d4f255c41ca6a28caf532079.rb index ab5ba56e..b52cf6a4 100644 --- a/lib/one_gadget/builds/libc-2.23-2891dc7656eed3d8d4f255c41ca6a28caf532079.rb +++ b/lib/one_gadget/builds/libc-2.23-2891dc7656eed3d8d4f255c41ca6a28caf532079.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239388, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239390, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239394, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239401, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239436, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239437, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388917, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-29e38445a740bba5a77b86691e3c51a7e48dc79b.rb b/lib/one_gadget/builds/libc-2.23-29e38445a740bba5a77b86691e3c51a7e48dc79b.rb index 435388f7..614edee1 100644 --- a/lib/one_gadget/builds/libc-2.23-29e38445a740bba5a77b86691e3c51a7e48dc79b.rb +++ b/lib/one_gadget/builds/libc-2.23-29e38445a740bba5a77b86691e3c51a7e48dc79b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239628, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239630, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239634, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239641, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239676, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239677, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 389221, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-2aedae2bb27ac85cf14c36da79747dd88bb2b633.rb b/lib/one_gadget/builds/libc-2.23-2aedae2bb27ac85cf14c36da79747dd88bb2b633.rb index e187c8db..058473ff 100644 --- a/lib/one_gadget/builds/libc-2.23-2aedae2bb27ac85cf14c36da79747dd88bb2b633.rb +++ b/lib/one_gadget/builds/libc-2.23-2aedae2bb27ac85cf14c36da79747dd88bb2b633.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239452, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239454, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239458, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239465, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239500, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239501, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388789, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-2c4ed1bebc9ede033fbbb422f84da9a93cacd88e.rb b/lib/one_gadget/builds/libc-2.23-2c4ed1bebc9ede033fbbb422f84da9a93cacd88e.rb index 93738f88..b56cbd2b 100644 --- a/lib/one_gadget/builds/libc-2.23-2c4ed1bebc9ede033fbbb422f84da9a93cacd88e.rb +++ b/lib/one_gadget/builds/libc-2.23-2c4ed1bebc9ede033fbbb422f84da9a93cacd88e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233365, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233367, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233371, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233378, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233413, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233414, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383087, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-30773be8cf5bfed9d910c8473dd44eaab2e705ab.rb b/lib/one_gadget/builds/libc-2.23-30773be8cf5bfed9d910c8473dd44eaab2e705ab.rb index 40a6d243..a7b25bf3 100644 --- a/lib/one_gadget/builds/libc-2.23-30773be8cf5bfed9d910c8473dd44eaab2e705ab.rb +++ b/lib/one_gadget/builds/libc-2.23-30773be8cf5bfed9d910c8473dd44eaab2e705ab.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283167, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283174, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283258, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 840051, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 840264, - constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rax, r12)") OneGadget::Gadget.add(build_id, 983972, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 983984, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 987719, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1009648, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.23-336976f90c600be7c95a68be6c2f0652cc22347c.rb b/lib/one_gadget/builds/libc-2.23-336976f90c600be7c95a68be6c2f0652cc22347c.rb index 753537b5..1fffac39 100644 --- a/lib/one_gadget/builds/libc-2.23-336976f90c600be7c95a68be6c2f0652cc22347c.rb +++ b/lib/one_gadget/builds/libc-2.23-336976f90c600be7c95a68be6c2f0652cc22347c.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240188, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240190, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240194, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240201, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240236, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240237, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 390101, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-3612e20f3e2705dcf8fd81ac494a0e20b9e16764.rb b/lib/one_gadget/builds/libc-2.23-3612e20f3e2705dcf8fd81ac494a0e20b9e16764.rb index 431848e2..bf64688e 100644 --- a/lib/one_gadget/builds/libc-2.23-3612e20f3e2705dcf8fd81ac494a0e20b9e16764.rb +++ b/lib/one_gadget/builds/libc-2.23-3612e20f3e2705dcf8fd81ac494a0e20b9e16764.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240188, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240190, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240194, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240201, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240236, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240237, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 390101, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-369de0e1d833caa693af17f17c83ba937f0a4dad.rb b/lib/one_gadget/builds/libc-2.23-369de0e1d833caa693af17f17c83ba937f0a4dad.rb index 42e67f5f..7191e324 100644 --- a/lib/one_gadget/builds/libc-2.23-369de0e1d833caa693af17f17c83ba937f0a4dad.rb +++ b/lib/one_gadget/builds/libc-2.23-369de0e1d833caa693af17f17c83ba937f0a4dad.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283135, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283142, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283226, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 837235, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 837448, - constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rax, r12)") OneGadget::Gadget.add(build_id, 981492, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 981504, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 985239, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1007168, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.23-39fa51127c50ad10c32a19e0a1a587a05b8d450b.rb b/lib/one_gadget/builds/libc-2.23-39fa51127c50ad10c32a19e0a1a587a05b8d450b.rb index 07a5cced..b5cc09e3 100644 --- a/lib/one_gadget/builds/libc-2.23-39fa51127c50ad10c32a19e0a1a587a05b8d450b.rb +++ b/lib/one_gadget/builds/libc-2.23-39fa51127c50ad10c32a19e0a1a587a05b8d450b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233301, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233303, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233307, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233314, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233349, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233350, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383167, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-408d0e9e7720923def88a5aea9988cbaa0142b64.rb b/lib/one_gadget/builds/libc-2.23-408d0e9e7720923def88a5aea9988cbaa0142b64.rb index 21a1de24..0c14280f 100644 --- a/lib/one_gadget/builds/libc-2.23-408d0e9e7720923def88a5aea9988cbaa0142b64.rb +++ b/lib/one_gadget/builds/libc-2.23-408d0e9e7720923def88a5aea9988cbaa0142b64.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259007, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259014, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259098, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 752759, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 752968, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 874087, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874099, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 888849, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-414c35398dffe74ac9ed945e176d8fd99446d9de.rb b/lib/one_gadget/builds/libc-2.23-414c35398dffe74ac9ed945e176d8fd99446d9de.rb index e117953e..940a8554 100644 --- a/lib/one_gadget/builds/libc-2.23-414c35398dffe74ac9ed945e176d8fd99446d9de.rb +++ b/lib/one_gadget/builds/libc-2.23-414c35398dffe74ac9ed945e176d8fd99446d9de.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259135, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259142, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259226, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754615, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754824, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 876631, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 876643, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 891553, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-49bd3f83d9b34b9f043e68624271c5ef90820021.rb b/lib/one_gadget/builds/libc-2.23-49bd3f83d9b34b9f043e68624271c5ef90820021.rb index cdc17a1a..e98f70f5 100644 --- a/lib/one_gadget/builds/libc-2.23-49bd3f83d9b34b9f043e68624271c5ef90820021.rb +++ b/lib/one_gadget/builds/libc-2.23-49bd3f83d9b34b9f043e68624271c5ef90820021.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239388, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239390, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239394, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239401, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239436, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239437, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388917, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-4df2711ee6c911fe238cf10f43b08099201e57ec.rb b/lib/one_gadget/builds/libc-2.23-4df2711ee6c911fe238cf10f43b08099201e57ec.rb index 488f0f62..c808ccdf 100644 --- a/lib/one_gadget/builds/libc-2.23-4df2711ee6c911fe238cf10f43b08099201e57ec.rb +++ b/lib/one_gadget/builds/libc-2.23-4df2711ee6c911fe238cf10f43b08099201e57ec.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258863, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258870, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258954, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755157, - constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL || [rbp-0x38] is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x38], rbx)") OneGadget::Gadget.add(build_id, 876757, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 876769, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.23-54128118082b61b311247f8fa6672b8df938748a.rb b/lib/one_gadget/builds/libc-2.23-54128118082b61b311247f8fa6672b8df938748a.rb index ecb0dd19..c45f9bca 100644 --- a/lib/one_gadget/builds/libc-2.23-54128118082b61b311247f8fa6672b8df938748a.rb +++ b/lib/one_gadget/builds/libc-2.23-54128118082b61b311247f8fa6672b8df938748a.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283119, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283126, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283210, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 839212, - constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rax, r12)") OneGadget::Gadget.add(build_id, 983364, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 983376, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 987127, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1008992, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.23-5d45b750d14b7b6ea11c2b57c73746b61592437b.rb b/lib/one_gadget/builds/libc-2.23-5d45b750d14b7b6ea11c2b57c73746b61592437b.rb index 783d76ca..0c7d6ea5 100644 --- a/lib/one_gadget/builds/libc-2.23-5d45b750d14b7b6ea11c2b57c73746b61592437b.rb +++ b/lib/one_gadget/builds/libc-2.23-5d45b750d14b7b6ea11c2b57c73746b61592437b.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254530, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254537, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254621, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 695431, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 695640, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 823779, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 823791, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 838257, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-5d511bfe32efcb567933d13ab9dc87f0a02d3651.rb b/lib/one_gadget/builds/libc-2.23-5d511bfe32efcb567933d13ab9dc87f0a02d3651.rb index 40ffd084..9f0bb9d5 100644 --- a/lib/one_gadget/builds/libc-2.23-5d511bfe32efcb567933d13ab9dc87f0a02d3651.rb +++ b/lib/one_gadget/builds/libc-2.23-5d511bfe32efcb567933d13ab9dc87f0a02d3651.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 437664, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 437683, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 437685, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 437689, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 437690, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 584400, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-60ea46dff84c256650d44c1a32ca609168bee1a6.rb b/lib/one_gadget/builds/libc-2.23-60ea46dff84c256650d44c1a32ca609168bee1a6.rb index 1746d56c..13b0f488 100644 --- a/lib/one_gadget/builds/libc-2.23-60ea46dff84c256650d44c1a32ca609168bee1a6.rb +++ b/lib/one_gadget/builds/libc-2.23-60ea46dff84c256650d44c1a32ca609168bee1a6.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239340, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239342, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239346, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239353, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239388, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239389, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 380565, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-635101aec7213fdc442419bf65a92047a862ff32.rb b/lib/one_gadget/builds/libc-2.23-635101aec7213fdc442419bf65a92047a862ff32.rb index 2cb76519..533c9581 100644 --- a/lib/one_gadget/builds/libc-2.23-635101aec7213fdc442419bf65a92047a862ff32.rb +++ b/lib/one_gadget/builds/libc-2.23-635101aec7213fdc442419bf65a92047a862ff32.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239644, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239646, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239650, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239657, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239692, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239693, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 389237, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-6462f7cc95a34bd03f42ad150211db68fcf27d44.rb b/lib/one_gadget/builds/libc-2.23-6462f7cc95a34bd03f42ad150211db68fcf27d44.rb index eaaad95a..dbffe6d3 100644 --- a/lib/one_gadget/builds/libc-2.23-6462f7cc95a34bd03f42ad150211db68fcf27d44.rb +++ b/lib/one_gadget/builds/libc-2.23-6462f7cc95a34bd03f42ad150211db68fcf27d44.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240716, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240718, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240722, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240729, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240764, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240765, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 390485, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-697f7d05a70ecde852a2eed480bea6a6779b4a27.rb b/lib/one_gadget/builds/libc-2.23-697f7d05a70ecde852a2eed480bea6a6779b4a27.rb index 862835d7..6b9cb2b2 100644 --- a/lib/one_gadget/builds/libc-2.23-697f7d05a70ecde852a2eed480bea6a6779b4a27.rb +++ b/lib/one_gadget/builds/libc-2.23-697f7d05a70ecde852a2eed480bea6a6779b4a27.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258975, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258982, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259066, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 752727, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 752936, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 874055, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874067, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 888817, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-7598dcdd3567efa7befebc6d97977e83d758c649.rb b/lib/one_gadget/builds/libc-2.23-7598dcdd3567efa7befebc6d97977e83d758c649.rb index 3131efe0..2e4d0006 100644 --- a/lib/one_gadget/builds/libc-2.23-7598dcdd3567efa7befebc6d97977e83d758c649.rb +++ b/lib/one_gadget/builds/libc-2.23-7598dcdd3567efa7befebc6d97977e83d758c649.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233349, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233351, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233355, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233362, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233397, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233398, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383071, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-78e2b4f1945abc8f1db6d82acf6d1ef593d01e06.rb b/lib/one_gadget/builds/libc-2.23-78e2b4f1945abc8f1db6d82acf6d1ef593d01e06.rb index f479049c..b93322dc 100644 --- a/lib/one_gadget/builds/libc-2.23-78e2b4f1945abc8f1db6d82acf6d1ef593d01e06.rb +++ b/lib/one_gadget/builds/libc-2.23-78e2b4f1945abc8f1db6d82acf6d1ef593d01e06.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239388, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239390, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239394, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239401, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239436, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239437, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388917, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-89cc3bb9361ad139a1967462175759416c9dc82b.rb b/lib/one_gadget/builds/libc-2.23-89cc3bb9361ad139a1967462175759416c9dc82b.rb index 70dfcae6..9d3f2aea 100644 --- a/lib/one_gadget/builds/libc-2.23-89cc3bb9361ad139a1967462175759416c9dc82b.rb +++ b/lib/one_gadget/builds/libc-2.23-89cc3bb9361ad139a1967462175759416c9dc82b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239612, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239614, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239618, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239625, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239660, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239661, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 389189, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-8b51f0e99fae7170859f393ba0118cc955c337b9.rb b/lib/one_gadget/builds/libc-2.23-8b51f0e99fae7170859f393ba0118cc955c337b9.rb index ce6d340c..b1a6e199 100644 --- a/lib/one_gadget/builds/libc-2.23-8b51f0e99fae7170859f393ba0118cc955c337b9.rb +++ b/lib/one_gadget/builds/libc-2.23-8b51f0e99fae7170859f393ba0118cc955c337b9.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239388, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239390, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239394, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239401, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239436, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239437, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388917, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-8c436e0b35bb19702fba4b5effb3f94edecc3c46.rb b/lib/one_gadget/builds/libc-2.23-8c436e0b35bb19702fba4b5effb3f94edecc3c46.rb index df69a316..cdbb5f2e 100644 --- a/lib/one_gadget/builds/libc-2.23-8c436e0b35bb19702fba4b5effb3f94edecc3c46.rb +++ b/lib/one_gadget/builds/libc-2.23-8c436e0b35bb19702fba4b5effb3f94edecc3c46.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 486813, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 486815, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 486819, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 486826, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 486861, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 486862, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 637251, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-8ccf267bc9d0f4706559d85cbeb704782dae9ede.rb b/lib/one_gadget/builds/libc-2.23-8ccf267bc9d0f4706559d85cbeb704782dae9ede.rb index c7e997ca..5523c019 100644 --- a/lib/one_gadget/builds/libc-2.23-8ccf267bc9d0f4706559d85cbeb704782dae9ede.rb +++ b/lib/one_gadget/builds/libc-2.23-8ccf267bc9d0f4706559d85cbeb704782dae9ede.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239484, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239486, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239490, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239497, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239532, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239533, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 389808, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-946025a5cad7b5f2dfbaebc6ebd1fcc004349b48.rb b/lib/one_gadget/builds/libc-2.23-946025a5cad7b5f2dfbaebc6ebd1fcc004349b48.rb index 9adb0570..4ff7dd58 100644 --- a/lib/one_gadget/builds/libc-2.23-946025a5cad7b5f2dfbaebc6ebd1fcc004349b48.rb +++ b/lib/one_gadget/builds/libc-2.23-946025a5cad7b5f2dfbaebc6ebd1fcc004349b48.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258863, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258870, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258954, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754597, - constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL || [rbp-0x38] is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x38], rbx)") OneGadget::Gadget.add(build_id, 875749, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 875761, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.23-9600225be309ec27d01385dd52df9196e86ed3c0.rb b/lib/one_gadget/builds/libc-2.23-9600225be309ec27d01385dd52df9196e86ed3c0.rb index 54d84445..7ef9f558 100644 --- a/lib/one_gadget/builds/libc-2.23-9600225be309ec27d01385dd52df9196e86ed3c0.rb +++ b/lib/one_gadget/builds/libc-2.23-9600225be309ec27d01385dd52df9196e86ed3c0.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239388, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239390, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239394, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239401, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239436, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239437, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388917, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-961068caa1dcd5005b27c7c6abe32e94102eae3f.rb b/lib/one_gadget/builds/libc-2.23-961068caa1dcd5005b27c7c6abe32e94102eae3f.rb index ccd788de..ae09968d 100644 --- a/lib/one_gadget/builds/libc-2.23-961068caa1dcd5005b27c7c6abe32e94102eae3f.rb +++ b/lib/one_gadget/builds/libc-2.23-961068caa1dcd5005b27c7c6abe32e94102eae3f.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258975, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258982, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259066, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 752727, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 752936, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 874055, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874067, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 888817, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-96f8c796364693379a2a0c753133fecbd1c52434.rb b/lib/one_gadget/builds/libc-2.23-96f8c796364693379a2a0c753133fecbd1c52434.rb index 5afc47a3..58deae3e 100644 --- a/lib/one_gadget/builds/libc-2.23-96f8c796364693379a2a0c753133fecbd1c52434.rb +++ b/lib/one_gadget/builds/libc-2.23-96f8c796364693379a2a0c753133fecbd1c52434.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240124, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240130, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240137, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240172, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240173, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 390517, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-99de357f509368d89f95b0e92b0d5227e8b8addc.rb b/lib/one_gadget/builds/libc-2.23-99de357f509368d89f95b0e92b0d5227e8b8addc.rb index 021afae4..4edb5703 100644 --- a/lib/one_gadget/builds/libc-2.23-99de357f509368d89f95b0e92b0d5227e8b8addc.rb +++ b/lib/one_gadget/builds/libc-2.23-99de357f509368d89f95b0e92b0d5227e8b8addc.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240188, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240190, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240194, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240201, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240236, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240237, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 390069, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-9e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb b/lib/one_gadget/builds/libc-2.23-9e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb index c6d15f64..7a5f72f5 100644 --- a/lib/one_gadget/builds/libc-2.23-9e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb +++ b/lib/one_gadget/builds/libc-2.23-9e85392b0c4e3e2c8fdc063dfda4c3d0e0156e54.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233317, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233319, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233323, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233330, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233365, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233366, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383183, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-a6fe771348e04d552fa1e6dcaf610699719bdd0e.rb b/lib/one_gadget/builds/libc-2.23-a6fe771348e04d552fa1e6dcaf610699719bdd0e.rb index fce27b2b..963395af 100644 --- a/lib/one_gadget/builds/libc-2.23-a6fe771348e04d552fa1e6dcaf610699719bdd0e.rb +++ b/lib/one_gadget/builds/libc-2.23-a6fe771348e04d552fa1e6dcaf610699719bdd0e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239452, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239454, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239458, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239465, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239500, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239501, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388789, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-a71b122dbcd9503767b6f176d7745749fb4aaf89.rb b/lib/one_gadget/builds/libc-2.23-a71b122dbcd9503767b6f176d7745749fb4aaf89.rb index b4ffe15e..609a0065 100644 --- a/lib/one_gadget/builds/libc-2.23-a71b122dbcd9503767b6f176d7745749fb4aaf89.rb +++ b/lib/one_gadget/builds/libc-2.23-a71b122dbcd9503767b6f176d7745749fb4aaf89.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233301, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233303, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233307, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233314, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233349, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233350, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383167, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-b078f2c07ab3751dbcbc3fbd2a11a8a162c35576.rb b/lib/one_gadget/builds/libc-2.23-b078f2c07ab3751dbcbc3fbd2a11a8a162c35576.rb index cc7e5e2e..4901674c 100644 --- a/lib/one_gadget/builds/libc-2.23-b078f2c07ab3751dbcbc3fbd2a11a8a162c35576.rb +++ b/lib/one_gadget/builds/libc-2.23-b078f2c07ab3751dbcbc3fbd2a11a8a162c35576.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 437088, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 437107, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 437109, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 437113, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 437114, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 584400, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-b2994712adbb4db7b768554149443ddee829cb91.rb b/lib/one_gadget/builds/libc-2.23-b2994712adbb4db7b768554149443ddee829cb91.rb index 7d52885a..080e825a 100644 --- a/lib/one_gadget/builds/libc-2.23-b2994712adbb4db7b768554149443ddee829cb91.rb +++ b/lib/one_gadget/builds/libc-2.23-b2994712adbb4db7b768554149443ddee829cb91.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240716, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240718, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240722, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240729, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240764, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240765, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 390437, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-b5381a457906d279073822a5ceb24c4bfef94ddb.rb b/lib/one_gadget/builds/libc-2.23-b5381a457906d279073822a5ceb24c4bfef94ddb.rb index a4a73940..08f9eabb 100644 --- a/lib/one_gadget/builds/libc-2.23-b5381a457906d279073822a5ceb24c4bfef94ddb.rb +++ b/lib/one_gadget/builds/libc-2.23-b5381a457906d279073822a5ceb24c4bfef94ddb.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283151, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283158, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283242, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 839923, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 840136, - constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rax, r12)") OneGadget::Gadget.add(build_id, 983716, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 983728, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 987463, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1009392, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.23-b8aaf9d529588ee96e6e399ab8a15cbd58ab8b54.rb b/lib/one_gadget/builds/libc-2.23-b8aaf9d529588ee96e6e399ab8a15cbd58ab8b54.rb index 7e57d256..7392f17e 100644 --- a/lib/one_gadget/builds/libc-2.23-b8aaf9d529588ee96e6e399ab8a15cbd58ab8b54.rb +++ b/lib/one_gadget/builds/libc-2.23-b8aaf9d529588ee96e6e399ab8a15cbd58ab8b54.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239388, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239390, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239394, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239401, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239436, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239437, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 389109, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-b978afd6ca2cf3f8768d6055581ece3c3e7d7b27.rb b/lib/one_gadget/builds/libc-2.23-b978afd6ca2cf3f8768d6055581ece3c3e7d7b27.rb index d5748b8f..b4765b5c 100644 --- a/lib/one_gadget/builds/libc-2.23-b978afd6ca2cf3f8768d6055581ece3c3e7d7b27.rb +++ b/lib/one_gadget/builds/libc-2.23-b978afd6ca2cf3f8768d6055581ece3c3e7d7b27.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258975, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258982, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259066, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 752727, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 752936, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 874055, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874067, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 888817, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-bde4e8b0230b1b474cd8a1ca6e9f81bb2b438914.rb b/lib/one_gadget/builds/libc-2.23-bde4e8b0230b1b474cd8a1ca6e9f81bb2b438914.rb index 993f9966..c2b1da7b 100644 --- a/lib/one_gadget/builds/libc-2.23-bde4e8b0230b1b474cd8a1ca6e9f81bb2b438914.rb +++ b/lib/one_gadget/builds/libc-2.23-bde4e8b0230b1b474cd8a1ca6e9f81bb2b438914.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240748, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240750, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240754, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240761, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240796, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240797, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 392149, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-c0a199289365088782dcaceab6a81721d0d8ae0c.rb b/lib/one_gadget/builds/libc-2.23-c0a199289365088782dcaceab6a81721d0d8ae0c.rb index e208599e..ec1ea8fc 100644 --- a/lib/one_gadget/builds/libc-2.23-c0a199289365088782dcaceab6a81721d0d8ae0c.rb +++ b/lib/one_gadget/builds/libc-2.23-c0a199289365088782dcaceab6a81721d0d8ae0c.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254482, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254489, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254573, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 695079, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 695288, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 823427, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 823439, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 837905, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-c0cc47b9f732f8150eb2bbfb18d0d60a7b3564a9.rb b/lib/one_gadget/builds/libc-2.23-c0cc47b9f732f8150eb2bbfb18d0d60a7b3564a9.rb index ad731b29..25f9512e 100644 --- a/lib/one_gadget/builds/libc-2.23-c0cc47b9f732f8150eb2bbfb18d0d60a7b3564a9.rb +++ b/lib/one_gadget/builds/libc-2.23-c0cc47b9f732f8150eb2bbfb18d0d60a7b3564a9.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233317, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233319, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233323, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233330, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233365, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233366, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383183, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-c4fd86ec1eed57a09c79ce601f6c6e3796f574df.rb b/lib/one_gadget/builds/libc-2.23-c4fd86ec1eed57a09c79ce601f6c6e3796f574df.rb index 1c354b80..c0550a8c 100644 --- a/lib/one_gadget/builds/libc-2.23-c4fd86ec1eed57a09c79ce601f6c6e3796f574df.rb +++ b/lib/one_gadget/builds/libc-2.23-c4fd86ec1eed57a09c79ce601f6c6e3796f574df.rb @@ -19,28 +19,31 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283167, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283174, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283258, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 840051, - constraints: ["[rcx] == NULL || rcx == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rcx, r12)") OneGadget::Gadget.add(build_id, 840264, - constraints: ["[rax] == NULL || rax == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rax] == NULL || rax == NULL || rax is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rax, r12)") OneGadget::Gadget.add(build_id, 983908, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 983920, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 987655, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1009584, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL || [rbp-0xf8] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0xf8])") diff --git a/lib/one_gadget/builds/libc-2.23-d10743a8f3a9a7a2e9807b1af78026c0b5363f6b.rb b/lib/one_gadget/builds/libc-2.23-d10743a8f3a9a7a2e9807b1af78026c0b5363f6b.rb index eef3b9da..eb2e3d7d 100644 --- a/lib/one_gadget/builds/libc-2.23-d10743a8f3a9a7a2e9807b1af78026c0b5363f6b.rb +++ b/lib/one_gadget/builds/libc-2.23-d10743a8f3a9a7a2e9807b1af78026c0b5363f6b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240700, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240702, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240706, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240713, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240748, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240749, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391845, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-d10fbfd9328f5ffaca50aa93562cb3bfb618fbcc.rb b/lib/one_gadget/builds/libc-2.23-d10fbfd9328f5ffaca50aa93562cb3bfb618fbcc.rb index 756a667c..ad4e714b 100644 --- a/lib/one_gadget/builds/libc-2.23-d10fbfd9328f5ffaca50aa93562cb3bfb618fbcc.rb +++ b/lib/one_gadget/builds/libc-2.23-d10fbfd9328f5ffaca50aa93562cb3bfb618fbcc.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259247, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259254, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259338, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753703, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 753912, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 875047, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 875059, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 889809, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-d1df77a9cc06ba60c213852b01bc24282e49696a.rb b/lib/one_gadget/builds/libc-2.23-d1df77a9cc06ba60c213852b01bc24282e49696a.rb index e4e46401..352bf838 100644 --- a/lib/one_gadget/builds/libc-2.23-d1df77a9cc06ba60c213852b01bc24282e49696a.rb +++ b/lib/one_gadget/builds/libc-2.23-d1df77a9cc06ba60c213852b01bc24282e49696a.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259215, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259222, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259306, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753591, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 753800, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 875383, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 875395, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 890225, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-d2be9dbf540a6ca8b559ddfbd17f47b53e84ba8d.rb b/lib/one_gadget/builds/libc-2.23-d2be9dbf540a6ca8b559ddfbd17f47b53e84ba8d.rb index c5acdbe6..8bbf2b6c 100644 --- a/lib/one_gadget/builds/libc-2.23-d2be9dbf540a6ca8b559ddfbd17f47b53e84ba8d.rb +++ b/lib/one_gadget/builds/libc-2.23-d2be9dbf540a6ca8b559ddfbd17f47b53e84ba8d.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258975, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258982, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259066, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 752727, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 752936, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 874055, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874067, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 888817, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-d61f734abbd95e2ddeab19046141020d00aa2aaf.rb b/lib/one_gadget/builds/libc-2.23-d61f734abbd95e2ddeab19046141020d00aa2aaf.rb index 99573a39..5d99bbc6 100644 --- a/lib/one_gadget/builds/libc-2.23-d61f734abbd95e2ddeab19046141020d00aa2aaf.rb +++ b/lib/one_gadget/builds/libc-2.23-d61f734abbd95e2ddeab19046141020d00aa2aaf.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 437088, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 437107, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 437109, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 437113, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 437114, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 584400, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-dcd02728e55c40d4a4b0d1482abe75cf2b853c2e.rb b/lib/one_gadget/builds/libc-2.23-dcd02728e55c40d4a4b0d1482abe75cf2b853c2e.rb index 0b9987dd..524b9f97 100644 --- a/lib/one_gadget/builds/libc-2.23-dcd02728e55c40d4a4b0d1482abe75cf2b853c2e.rb +++ b/lib/one_gadget/builds/libc-2.23-dcd02728e55c40d4a4b0d1482abe75cf2b853c2e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240188, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240190, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240194, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240201, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240236, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240237, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 390101, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-dd5192a769e33ed6ca68a6ab5740ff9e8ec678a7.rb b/lib/one_gadget/builds/libc-2.23-dd5192a769e33ed6ca68a6ab5740ff9e8ec678a7.rb index d94ecd11..bcd191f2 100644 --- a/lib/one_gadget/builds/libc-2.23-dd5192a769e33ed6ca68a6ab5740ff9e8ec678a7.rb +++ b/lib/one_gadget/builds/libc-2.23-dd5192a769e33ed6ca68a6ab5740ff9e8ec678a7.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240732, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240734, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240738, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240745, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240780, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240781, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 392133, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-e388b883ef50189a2eb5e6c7931c52e03761a7fd.rb b/lib/one_gadget/builds/libc-2.23-e388b883ef50189a2eb5e6c7931c52e03761a7fd.rb index 23e3f50e..00908e5b 100644 --- a/lib/one_gadget/builds/libc-2.23-e388b883ef50189a2eb5e6c7931c52e03761a7fd.rb +++ b/lib/one_gadget/builds/libc-2.23-e388b883ef50189a2eb5e6c7931c52e03761a7fd.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254610, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254617, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254701, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 695895, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 696104, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 824691, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 824703, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 839169, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-e7b96675bca2ca2e2e746ebcb706d9236178564c.rb b/lib/one_gadget/builds/libc-2.23-e7b96675bca2ca2e2e746ebcb706d9236178564c.rb index 624bf6cd..b6dc3452 100644 --- a/lib/one_gadget/builds/libc-2.23-e7b96675bca2ca2e2e746ebcb706d9236178564c.rb +++ b/lib/one_gadget/builds/libc-2.23-e7b96675bca2ca2e2e746ebcb706d9236178564c.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258975, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258982, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259066, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753983, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r13)") OneGadget::Gadget.add(build_id, 875285, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 875297, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.23-e7c57c7dc7a4d8ca964993f19fd8b0fc4f72b617.rb b/lib/one_gadget/builds/libc-2.23-e7c57c7dc7a4d8ca964993f19fd8b0fc4f72b617.rb index 71c05dc9..e598cc45 100644 --- a/lib/one_gadget/builds/libc-2.23-e7c57c7dc7a4d8ca964993f19fd8b0fc4f72b617.rb +++ b/lib/one_gadget/builds/libc-2.23-e7c57c7dc7a4d8ca964993f19fd8b0fc4f72b617.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259055, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259062, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259146, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753031, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 753240, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 874855, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874867, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 889617, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-e8df4c3d58e99c87f9b22655e9180c7ac31cb44f.rb b/lib/one_gadget/builds/libc-2.23-e8df4c3d58e99c87f9b22655e9180c7ac31cb44f.rb index d9173905..965f7d49 100644 --- a/lib/one_gadget/builds/libc-2.23-e8df4c3d58e99c87f9b22655e9180c7ac31cb44f.rb +++ b/lib/one_gadget/builds/libc-2.23-e8df4c3d58e99c87f9b22655e9180c7ac31cb44f.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240108, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240110, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240114, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240121, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240156, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240157, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 390501, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb b/lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb index edb063ed..37f15200 100644 --- a/lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb +++ b/lib/one_gadget/builds/libc-2.23-edceed30099baad51871c5fc277daf9b74dc726a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239596, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239598, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239602, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239609, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239644, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239645, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 388933, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-ee0b5a0f65e25f536a868d84e1d912403b56e742.rb b/lib/one_gadget/builds/libc-2.23-ee0b5a0f65e25f536a868d84e1d912403b56e742.rb index f93feefd..8d2c80d0 100644 --- a/lib/one_gadget/builds/libc-2.23-ee0b5a0f65e25f536a868d84e1d912403b56e742.rb +++ b/lib/one_gadget/builds/libc-2.23-ee0b5a0f65e25f536a868d84e1d912403b56e742.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258927, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258934, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259018, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 752471, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 752680, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 873799, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 873811, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 888561, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-ee525f6c9b018c094beedd17b87a4573d7ea7e2e.rb b/lib/one_gadget/builds/libc-2.23-ee525f6c9b018c094beedd17b87a4573d7ea7e2e.rb index 6a10e359..bd727e75 100644 --- a/lib/one_gadget/builds/libc-2.23-ee525f6c9b018c094beedd17b87a4573d7ea7e2e.rb +++ b/lib/one_gadget/builds/libc-2.23-ee525f6c9b018c094beedd17b87a4573d7ea7e2e.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258975, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258982, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259066, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 752727, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 752936, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 874055, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 874067, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 888817, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-f0c2e03955a845c9a7f9c85228b12c9700d66c50.rb b/lib/one_gadget/builds/libc-2.23-f0c2e03955a845c9a7f9c85228b12c9700d66c50.rb index de67b4c7..6aaaa18a 100644 --- a/lib/one_gadget/builds/libc-2.23-f0c2e03955a845c9a7f9c85228b12c9700d66c50.rb +++ b/lib/one_gadget/builds/libc-2.23-f0c2e03955a845c9a7f9c85228b12c9700d66c50.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233301, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233303, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233307, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233314, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233349, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233350, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 383167, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-f202f01f10e845e14e7d8ca44cf5d9e4742fca6a.rb b/lib/one_gadget/builds/libc-2.23-f202f01f10e845e14e7d8ca44cf5d9e4742fca6a.rb index 4c6bb8a1..c3fdfeab 100644 --- a/lib/one_gadget/builds/libc-2.23-f202f01f10e845e14e7d8ca44cf5d9e4742fca6a.rb +++ b/lib/one_gadget/builds/libc-2.23-f202f01f10e845e14e7d8ca44cf5d9e4742fca6a.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258863, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258870, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258954, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754533, - constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL || [rbp-0x38] is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x38], rbx)") OneGadget::Gadget.add(build_id, 875685, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 875697, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.23-f2f2f2af4f3e8597cca1fdff1008a834c78de42b.rb b/lib/one_gadget/builds/libc-2.23-f2f2f2af4f3e8597cca1fdff1008a834c78de42b.rb index 491f8575..52d54a68 100644 --- a/lib/one_gadget/builds/libc-2.23-f2f2f2af4f3e8597cca1fdff1008a834c78de42b.rb +++ b/lib/one_gadget/builds/libc-2.23-f2f2f2af4f3e8597cca1fdff1008a834c78de42b.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259279, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259286, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259370, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753847, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754056, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 875271, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 875283, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 890033, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-f303ce47c562225a4f3475170333494965760a6a.rb b/lib/one_gadget/builds/libc-2.23-f303ce47c562225a4f3475170333494965760a6a.rb index 070cc219..c07f032b 100644 --- a/lib/one_gadget/builds/libc-2.23-f303ce47c562225a4f3475170333494965760a6a.rb +++ b/lib/one_gadget/builds/libc-2.23-f303ce47c562225a4f3475170333494965760a6a.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259279, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259286, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259370, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753847, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 754056, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 875223, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 875235, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 889985, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-f33f3937b8f458ffd96cf10a22deea1bd85ac61a.rb b/lib/one_gadget/builds/libc-2.23-f33f3937b8f458ffd96cf10a22deea1bd85ac61a.rb index 7a787af9..ff718ca6 100644 --- a/lib/one_gadget/builds/libc-2.23-f33f3937b8f458ffd96cf10a22deea1bd85ac61a.rb +++ b/lib/one_gadget/builds/libc-2.23-f33f3937b8f458ffd96cf10a22deea1bd85ac61a.rb @@ -19,25 +19,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259055, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259062, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259146, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 753367, - constraints: ["[rsi] == NULL || rsi == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rsi, r12)") OneGadget::Gadget.add(build_id, 753576, - constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[[rbp-0x40]] == NULL || [rbp-0x40] == NULL || [rbp-0x40] is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x40], r12)") OneGadget::Gadget.add(build_id, 875223, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 875235, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 889985, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") diff --git a/lib/one_gadget/builds/libc-2.23-f4490657edfef482025fff60e85acd5928e0d05b.rb b/lib/one_gadget/builds/libc-2.23-f4490657edfef482025fff60e85acd5928e0d05b.rb index b0d499ab..86c70a89 100644 --- a/lib/one_gadget/builds/libc-2.23-f4490657edfef482025fff60e85acd5928e0d05b.rb +++ b/lib/one_gadget/builds/libc-2.23-f4490657edfef482025fff60e85acd5928e0d05b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239644, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239646, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239650, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239657, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239692, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239693, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 389237, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23-ffb3662a7bc5e136fa8f464fc14ec23efb8d1817.rb b/lib/one_gadget/builds/libc-2.23-ffb3662a7bc5e136fa8f464fc14ec23efb8d1817.rb index 69978681..b4e656c3 100644 --- a/lib/one_gadget/builds/libc-2.23-ffb3662a7bc5e136fa8f464fc14ec23efb8d1817.rb +++ b/lib/one_gadget/builds/libc-2.23-ffb3662a7bc5e136fa8f464fc14ec23efb8d1817.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258863, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258870, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258954, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 754533, - constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["[[rbp-0x38]] == NULL || [rbp-0x38] == NULL || [rbp-0x38] is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x38], rbx)") OneGadget::Gadget.add(build_id, 876117, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 876129, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.23.90-203feaf8a7e40cef8a75568a406a22fdeda94f8b.rb b/lib/one_gadget/builds/libc-2.23.90-203feaf8a7e40cef8a75568a406a22fdeda94f8b.rb index 92604337..fa8efe6a 100644 --- a/lib/one_gadget/builds/libc-2.23.90-203feaf8a7e40cef8a75568a406a22fdeda94f8b.rb +++ b/lib/one_gadget/builds/libc-2.23.90-203feaf8a7e40cef8a75568a406a22fdeda94f8b.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259199, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259206, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259290, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755496, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878085, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878097, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.23.90-392b643118f919a1827477e978d9cea2b09a34fc.rb b/lib/one_gadget/builds/libc-2.23.90-392b643118f919a1827477e978d9cea2b09a34fc.rb index 95d245f9..a394fb68 100644 --- a/lib/one_gadget/builds/libc-2.23.90-392b643118f919a1827477e978d9cea2b09a34fc.rb +++ b/lib/one_gadget/builds/libc-2.23.90-392b643118f919a1827477e978d9cea2b09a34fc.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 232965, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 232967, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 232971, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 232978, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233013, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233014, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 384607, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23.90-52e411aed4443fbbcb9706fffa2362e4a108f28f.rb b/lib/one_gadget/builds/libc-2.23.90-52e411aed4443fbbcb9706fffa2362e4a108f28f.rb index ba199f72..e2418b5e 100644 --- a/lib/one_gadget/builds/libc-2.23.90-52e411aed4443fbbcb9706fffa2362e4a108f28f.rb +++ b/lib/one_gadget/builds/libc-2.23.90-52e411aed4443fbbcb9706fffa2362e4a108f28f.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 232965, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 232967, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 232971, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 232978, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233013, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233014, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 384607, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23.90-604d873b711edeb971328656c4c17bbc15c7427f.rb b/lib/one_gadget/builds/libc-2.23.90-604d873b711edeb971328656c4c17bbc15c7427f.rb index 8b9a6e8f..3b9b12a7 100644 --- a/lib/one_gadget/builds/libc-2.23.90-604d873b711edeb971328656c4c17bbc15c7427f.rb +++ b/lib/one_gadget/builds/libc-2.23.90-604d873b711edeb971328656c4c17bbc15c7427f.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240492, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240494, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240498, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240505, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240540, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240541, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 392117, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23.90-63fbdf3e3928f6dc2bcac10e28aa233a625a3d27.rb b/lib/one_gadget/builds/libc-2.23.90-63fbdf3e3928f6dc2bcac10e28aa233a625a3d27.rb index d6120520..22f3710a 100644 --- a/lib/one_gadget/builds/libc-2.23.90-63fbdf3e3928f6dc2bcac10e28aa233a625a3d27.rb +++ b/lib/one_gadget/builds/libc-2.23.90-63fbdf3e3928f6dc2bcac10e28aa233a625a3d27.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234677, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234679, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234683, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234690, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234725, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234726, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 386143, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23.90-7439c4311f0dd7307f78c1b5530f52a590230e45.rb b/lib/one_gadget/builds/libc-2.23.90-7439c4311f0dd7307f78c1b5530f52a590230e45.rb index 3b465c41..5d7aac87 100644 --- a/lib/one_gadget/builds/libc-2.23.90-7439c4311f0dd7307f78c1b5530f52a590230e45.rb +++ b/lib/one_gadget/builds/libc-2.23.90-7439c4311f0dd7307f78c1b5530f52a590230e45.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240492, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240494, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240498, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240505, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240540, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240541, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 392117, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23.90-b23fcdbc7bead3c59600e0a6acfe9220c42e1b93.rb b/lib/one_gadget/builds/libc-2.23.90-b23fcdbc7bead3c59600e0a6acfe9220c42e1b93.rb index 1dd3dbca..175111f1 100644 --- a/lib/one_gadget/builds/libc-2.23.90-b23fcdbc7bead3c59600e0a6acfe9220c42e1b93.rb +++ b/lib/one_gadget/builds/libc-2.23.90-b23fcdbc7bead3c59600e0a6acfe9220c42e1b93.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 238732, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 238734, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 238738, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 238745, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 238780, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 238781, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391189, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23.90-c5238226a11b5538d56c713c97db1a36722e6322.rb b/lib/one_gadget/builds/libc-2.23.90-c5238226a11b5538d56c713c97db1a36722e6322.rb index 1d08b88f..22066712 100644 --- a/lib/one_gadget/builds/libc-2.23.90-c5238226a11b5538d56c713c97db1a36722e6322.rb +++ b/lib/one_gadget/builds/libc-2.23.90-c5238226a11b5538d56c713c97db1a36722e6322.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258991, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258998, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259082, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756488, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878773, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878785, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.23.90-e1b43c632d35649e9b128528994426e34ae40d1a.rb b/lib/one_gadget/builds/libc-2.23.90-e1b43c632d35649e9b128528994426e34ae40d1a.rb index e1bb239b..0bab3575 100644 --- a/lib/one_gadget/builds/libc-2.23.90-e1b43c632d35649e9b128528994426e34ae40d1a.rb +++ b/lib/one_gadget/builds/libc-2.23.90-e1b43c632d35649e9b128528994426e34ae40d1a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234405, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234407, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234411, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234418, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234453, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234454, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 384831, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.23.90-e9ab765fb32204de2215d6117dcbc1fb92f26b9a.rb b/lib/one_gadget/builds/libc-2.23.90-e9ab765fb32204de2215d6117dcbc1fb92f26b9a.rb index 9de69c1d..e8ef3dba 100644 --- a/lib/one_gadget/builds/libc-2.23.90-e9ab765fb32204de2215d6117dcbc1fb92f26b9a.rb +++ b/lib/one_gadget/builds/libc-2.23.90-e9ab765fb32204de2215d6117dcbc1fb92f26b9a.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 259199, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259206, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259290, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 755608, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878197, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878209, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.23.90-ef3765f1e2595771cefa96291c647d0eff8a81e0.rb b/lib/one_gadget/builds/libc-2.23.90-ef3765f1e2595771cefa96291c647d0eff8a81e0.rb index 79c41f74..ec1af562 100644 --- a/lib/one_gadget/builds/libc-2.23.90-ef3765f1e2595771cefa96291c647d0eff8a81e0.rb +++ b/lib/one_gadget/builds/libc-2.23.90-ef3765f1e2595771cefa96291c647d0eff8a81e0.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258991, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258998, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259082, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756488, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878773, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878785, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.23.90-f149edaf4dee34b38f831bf0914af2ecf0a1a317.rb b/lib/one_gadget/builds/libc-2.23.90-f149edaf4dee34b38f831bf0914af2ecf0a1a317.rb index 845ab094..324510d3 100644 --- a/lib/one_gadget/builds/libc-2.23.90-f149edaf4dee34b38f831bf0914af2ecf0a1a317.rb +++ b/lib/one_gadget/builds/libc-2.23.90-f149edaf4dee34b38f831bf0914af2ecf0a1a317.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 238732, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 238734, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 238738, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 238745, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 238780, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 238781, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391189, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-024385baa7aaf9c62ae336e896bcf245dda0fc01.rb b/lib/one_gadget/builds/libc-2.24-024385baa7aaf9c62ae336e896bcf245dda0fc01.rb index 5b944dc6..4b6d14db 100644 --- a/lib/one_gadget/builds/libc-2.24-024385baa7aaf9c62ae336e896bcf245dda0fc01.rb +++ b/lib/one_gadget/builds/libc-2.24-024385baa7aaf9c62ae336e896bcf245dda0fc01.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234677, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234679, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234683, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234690, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234725, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234726, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 386143, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-04b6f2a9e244a36a9f107febf832bbadea9f252c.rb b/lib/one_gadget/builds/libc-2.24-04b6f2a9e244a36a9f107febf832bbadea9f252c.rb index 25d5e44f..632c3cb0 100644 --- a/lib/one_gadget/builds/libc-2.24-04b6f2a9e244a36a9f107febf832bbadea9f252c.rb +++ b/lib/one_gadget/builds/libc-2.24-04b6f2a9e244a36a9f107febf832bbadea9f252c.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391093, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-0b88546716e2f1924986596ee7cc9215df89c6f5.rb b/lib/one_gadget/builds/libc-2.24-0b88546716e2f1924986596ee7cc9215df89c6f5.rb index 3e096582..d845cced 100644 --- a/lib/one_gadget/builds/libc-2.24-0b88546716e2f1924986596ee7cc9215df89c6f5.rb +++ b/lib/one_gadget/builds/libc-2.24-0b88546716e2f1924986596ee7cc9215df89c6f5.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241148, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241150, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241154, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241161, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241196, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241197, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 394501, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-0c11fd6524ef7a7da877f940fba181ed746edb0a.rb b/lib/one_gadget/builds/libc-2.24-0c11fd6524ef7a7da877f940fba181ed746edb0a.rb index 0077c7bb..dfc09299 100644 --- a/lib/one_gadget/builds/libc-2.24-0c11fd6524ef7a7da877f940fba181ed746edb0a.rb +++ b/lib/one_gadget/builds/libc-2.24-0c11fd6524ef7a7da877f940fba181ed746edb0a.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233589, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233591, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233595, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233602, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233637, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233638, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385199, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-0f523a27b7460f50befd3d281238c6f189c92d84.rb b/lib/one_gadget/builds/libc-2.24-0f523a27b7460f50befd3d281238c6f189c92d84.rb index f40e5cc6..d4680a13 100644 --- a/lib/one_gadget/builds/libc-2.24-0f523a27b7460f50befd3d281238c6f189c92d84.rb +++ b/lib/one_gadget/builds/libc-2.24-0f523a27b7460f50befd3d281238c6f189c92d84.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239564, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239566, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239570, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239577, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239612, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239613, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391285, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-1c3ec3a011b1005cb1c2c32fc6dbc4e6e9cef4bb.rb b/lib/one_gadget/builds/libc-2.24-1c3ec3a011b1005cb1c2c32fc6dbc4e6e9cef4bb.rb index cfcfc96b..d9bfc710 100644 --- a/lib/one_gadget/builds/libc-2.24-1c3ec3a011b1005cb1c2c32fc6dbc4e6e9cef4bb.rb +++ b/lib/one_gadget/builds/libc-2.24-1c3ec3a011b1005cb1c2c32fc6dbc4e6e9cef4bb.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 487261, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 487263, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 487267, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 487274, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 487309, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 487310, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 642435, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-1da8c8ac3c71c30040cf58b563ae48e39bbae86f.rb b/lib/one_gadget/builds/libc-2.24-1da8c8ac3c71c30040cf58b563ae48e39bbae86f.rb index fa9d2942..bea0979a 100644 --- a/lib/one_gadget/builds/libc-2.24-1da8c8ac3c71c30040cf58b563ae48e39bbae86f.rb +++ b/lib/one_gadget/builds/libc-2.24-1da8c8ac3c71c30040cf58b563ae48e39bbae86f.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254498, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254505, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254589, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706936, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836125, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 836137, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-1ddd6fca9cd87c66e6a19df018f5992e9fa6453d.rb b/lib/one_gadget/builds/libc-2.24-1ddd6fca9cd87c66e6a19df018f5992e9fa6453d.rb index cc86605e..398e3947 100644 --- a/lib/one_gadget/builds/libc-2.24-1ddd6fca9cd87c66e6a19df018f5992e9fa6453d.rb +++ b/lib/one_gadget/builds/libc-2.24-1ddd6fca9cd87c66e6a19df018f5992e9fa6453d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233509, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233511, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233522, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233557, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233558, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385119, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-1f253610e390e5237eb7949212e08166fba3ca4b.rb b/lib/one_gadget/builds/libc-2.24-1f253610e390e5237eb7949212e08166fba3ca4b.rb index a37d1929..c5a972c1 100644 --- a/lib/one_gadget/builds/libc-2.24-1f253610e390e5237eb7949212e08166fba3ca4b.rb +++ b/lib/one_gadget/builds/libc-2.24-1f253610e390e5237eb7949212e08166fba3ca4b.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241148, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241150, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241154, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241161, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241196, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241197, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 394501, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-1f7bdfb9a24714835cee6e6597ea7aa782821371.rb b/lib/one_gadget/builds/libc-2.24-1f7bdfb9a24714835cee6e6597ea7aa782821371.rb index 4f48d289..fe4748e9 100644 --- a/lib/one_gadget/builds/libc-2.24-1f7bdfb9a24714835cee6e6597ea7aa782821371.rb +++ b/lib/one_gadget/builds/libc-2.24-1f7bdfb9a24714835cee6e6597ea7aa782821371.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239484, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239486, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239490, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239497, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239532, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239533, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391205, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-206b2bb216b6cdb6b1be565a6fcd29f3862db060.rb b/lib/one_gadget/builds/libc-2.24-206b2bb216b6cdb6b1be565a6fcd29f3862db060.rb index db77078d..fece8804 100644 --- a/lib/one_gadget/builds/libc-2.24-206b2bb216b6cdb6b1be565a6fcd29f3862db060.rb +++ b/lib/one_gadget/builds/libc-2.24-206b2bb216b6cdb6b1be565a6fcd29f3862db060.rb @@ -19,31 +19,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283983, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283990, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 284074, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 843370, - constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r13)") OneGadget::Gadget.add(build_id, 844053, - constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"], + constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL || [rbp-0x78] is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x50])") OneGadget::Gadget.add(build_id, 844057, - constraints: ["[r9] == NULL || r9 == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"], effect: "execve(\"/bin/sh\", r9, [rbp-0x50])") OneGadget::Gadget.add(build_id, 844061, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 988817, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 988829, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 992537, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.24-20cbb98b62f46ee16b182d1b357146577c40ebb7.rb b/lib/one_gadget/builds/libc-2.24-20cbb98b62f46ee16b182d1b357146577c40ebb7.rb index 0129559e..3667d6ed 100644 --- a/lib/one_gadget/builds/libc-2.24-20cbb98b62f46ee16b182d1b357146577c40ebb7.rb +++ b/lib/one_gadget/builds/libc-2.24-20cbb98b62f46ee16b182d1b357146577c40ebb7.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258751, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258758, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258842, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756399, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878661, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878673, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-236e52c7896f5403d8065cf3965fdb2d31d56891.rb b/lib/one_gadget/builds/libc-2.24-236e52c7896f5403d8065cf3965fdb2d31d56891.rb index 3c9ac80f..16d93b3e 100644 --- a/lib/one_gadget/builds/libc-2.24-236e52c7896f5403d8065cf3965fdb2d31d56891.rb +++ b/lib/one_gadget/builds/libc-2.24-236e52c7896f5403d8065cf3965fdb2d31d56891.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239292, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239294, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239298, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239305, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239340, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239341, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391013, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-24b1296687d36e24bd48b8c412157d94f074ecc2.rb b/lib/one_gadget/builds/libc-2.24-24b1296687d36e24bd48b8c412157d94f074ecc2.rb index 576ee8fb..f9389c85 100644 --- a/lib/one_gadget/builds/libc-2.24-24b1296687d36e24bd48b8c412157d94f074ecc2.rb +++ b/lib/one_gadget/builds/libc-2.24-24b1296687d36e24bd48b8c412157d94f074ecc2.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258991, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258998, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259082, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756360, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878645, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878657, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-253debb34a7d493c0b8e2d6db2079e3d680459f5.rb b/lib/one_gadget/builds/libc-2.24-253debb34a7d493c0b8e2d6db2079e3d680459f5.rb index afe1bf30..1a36a4cc 100644 --- a/lib/one_gadget/builds/libc-2.24-253debb34a7d493c0b8e2d6db2079e3d680459f5.rb +++ b/lib/one_gadget/builds/libc-2.24-253debb34a7d493c0b8e2d6db2079e3d680459f5.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258783, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258790, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258874, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756424, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878693, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878705, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-26e84118fee5788eb5d8dda66b7e7f029d2c7800.rb b/lib/one_gadget/builds/libc-2.24-26e84118fee5788eb5d8dda66b7e7f029d2c7800.rb index e176de47..0eb358c4 100644 --- a/lib/one_gadget/builds/libc-2.24-26e84118fee5788eb5d8dda66b7e7f029d2c7800.rb +++ b/lib/one_gadget/builds/libc-2.24-26e84118fee5788eb5d8dda66b7e7f029d2c7800.rb @@ -19,17 +19,26 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248396, + constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x24, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 248400, - constraints: ["writable: x19+0x258", "x3+0x9f8 == NULL"], + constraints: ["writable: x19+0x258", "x3+0x9f8 == NULL || {x3+0x9f8, \"-c\", x24, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 248404, - constraints: ["writable: x19+0x258", "x3 == NULL"], + constraints: ["writable: x19+0x258", "x3 == NULL || {x3, \"-c\", x24, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x68, environ)") +OneGadget::Gadget.add(build_id, 248412, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x3 == NULL || {x3, x0+0xa00, x24, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x68, environ)") +OneGadget::Gadget.add(build_id, 248416, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x3 == NULL || {x3, x0, x24, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 248440, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "[sp+0x68] == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "[sp+0x68] == NULL || {[sp+0x68], [sp+0x70], [sp+0x78], [sp+0x80], ...} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 248476, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "[x21] == NULL || x21 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "[x21] == NULL || x21 == NULL || x21 is a valid argv"], effect: "execve(\"/bin/sh\", x21, environ)") OneGadget::Gadget.add(build_id, 398984, constraints: ["x2+0xa00 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-2ee9e1740da616757f2e6d5ba58576c0c7302fff.rb b/lib/one_gadget/builds/libc-2.24-2ee9e1740da616757f2e6d5ba58576c0c7302fff.rb index d341a056..a36fdce4 100644 --- a/lib/one_gadget/builds/libc-2.24-2ee9e1740da616757f2e6d5ba58576c0c7302fff.rb +++ b/lib/one_gadget/builds/libc-2.24-2ee9e1740da616757f2e6d5ba58576c0c7302fff.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258783, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258790, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258874, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756424, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878693, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878705, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-30acfe88fed30ad3f8cb88425b80ea96899655aa.rb b/lib/one_gadget/builds/libc-2.24-30acfe88fed30ad3f8cb88425b80ea96899655aa.rb index ea115517..414ce22d 100644 --- a/lib/one_gadget/builds/libc-2.24-30acfe88fed30ad3f8cb88425b80ea96899655aa.rb +++ b/lib/one_gadget/builds/libc-2.24-30acfe88fed30ad3f8cb88425b80ea96899655aa.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240492, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240494, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240498, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240505, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240540, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240541, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 392117, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-33801a6f55c5c3cdf7d83590b433adcbab08a688.rb b/lib/one_gadget/builds/libc-2.24-33801a6f55c5c3cdf7d83590b433adcbab08a688.rb index d6689b85..5fc86ea1 100644 --- a/lib/one_gadget/builds/libc-2.24-33801a6f55c5c3cdf7d83590b433adcbab08a688.rb +++ b/lib/one_gadget/builds/libc-2.24-33801a6f55c5c3cdf7d83590b433adcbab08a688.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254482, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254489, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254573, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 707343, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836503, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 836515, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-349119af9e223829ea24f6b7226bdff0182e73f2.rb b/lib/one_gadget/builds/libc-2.24-349119af9e223829ea24f6b7226bdff0182e73f2.rb index 110f29b8..d473f491 100644 --- a/lib/one_gadget/builds/libc-2.24-349119af9e223829ea24f6b7226bdff0182e73f2.rb +++ b/lib/one_gadget/builds/libc-2.24-349119af9e223829ea24f6b7226bdff0182e73f2.rb @@ -19,31 +19,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283983, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283990, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 284074, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 840298, - constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r13)") OneGadget::Gadget.add(build_id, 840981, - constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"], + constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL || [rbp-0x78] is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x50])") OneGadget::Gadget.add(build_id, 840985, - constraints: ["[r9] == NULL || r9 == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"], effect: "execve(\"/bin/sh\", r9, [rbp-0x50])") OneGadget::Gadget.add(build_id, 840989, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 985745, - constraints: ["[rsp+0x50] == NULL"], + constraints: ["[rsp+0x50] == NULL || {[rsp+0x50], [rsp+0x58], [rsp+0x60], [rsp+0x68], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 985757, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 989465, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.24-35764bd71c58942e9131e3547b7c343098212d03.rb b/lib/one_gadget/builds/libc-2.24-35764bd71c58942e9131e3547b7c343098212d03.rb index 19f3ba6c..586f0dc4 100644 --- a/lib/one_gadget/builds/libc-2.24-35764bd71c58942e9131e3547b7c343098212d03.rb +++ b/lib/one_gadget/builds/libc-2.24-35764bd71c58942e9131e3547b7c343098212d03.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233589, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233591, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233595, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233602, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233637, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233638, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385199, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-389260a6758c3f1dbc741c197e747341ed277cd2.rb b/lib/one_gadget/builds/libc-2.24-389260a6758c3f1dbc741c197e747341ed277cd2.rb index d3ca473d..98e55730 100644 --- a/lib/one_gadget/builds/libc-2.24-389260a6758c3f1dbc741c197e747341ed277cd2.rb +++ b/lib/one_gadget/builds/libc-2.24-389260a6758c3f1dbc741c197e747341ed277cd2.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233589, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233591, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233595, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233602, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233637, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233638, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385199, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-3b24749bb184473f81819312e3d86903915eaf65.rb b/lib/one_gadget/builds/libc-2.24-3b24749bb184473f81819312e3d86903915eaf65.rb index 9d2fd063..67ffe169 100644 --- a/lib/one_gadget/builds/libc-2.24-3b24749bb184473f81819312e3d86903915eaf65.rb +++ b/lib/one_gadget/builds/libc-2.24-3b24749bb184473f81819312e3d86903915eaf65.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391093, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-3ea4c67e60e49b8164b692166115bbf927e521db.rb b/lib/one_gadget/builds/libc-2.24-3ea4c67e60e49b8164b692166115bbf927e521db.rb index 362cb6df..f988af43 100644 --- a/lib/one_gadget/builds/libc-2.24-3ea4c67e60e49b8164b692166115bbf927e521db.rb +++ b/lib/one_gadget/builds/libc-2.24-3ea4c67e60e49b8164b692166115bbf927e521db.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 489965, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 489967, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 489971, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 489978, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 490013, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 490014, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 645139, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-3f89db5baa7e88162377fab6a1590f732a355401.rb b/lib/one_gadget/builds/libc-2.24-3f89db5baa7e88162377fab6a1590f732a355401.rb index f66cf98c..1504b3d4 100644 --- a/lib/one_gadget/builds/libc-2.24-3f89db5baa7e88162377fab6a1590f732a355401.rb +++ b/lib/one_gadget/builds/libc-2.24-3f89db5baa7e88162377fab6a1590f732a355401.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 489549, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 489551, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 489555, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 489562, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 489597, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 489598, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 644723, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-3fce81d490804af9759c70bf197380bc05a584c2.rb b/lib/one_gadget/builds/libc-2.24-3fce81d490804af9759c70bf197380bc05a584c2.rb index 0a41e285..4eb1549f 100644 --- a/lib/one_gadget/builds/libc-2.24-3fce81d490804af9759c70bf197380bc05a584c2.rb +++ b/lib/one_gadget/builds/libc-2.24-3fce81d490804af9759c70bf197380bc05a584c2.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239484, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239486, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239490, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239497, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239532, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239533, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391205, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-43adbb1e7368c94fba1ba9020d8ef0808bff5bc4.rb b/lib/one_gadget/builds/libc-2.24-43adbb1e7368c94fba1ba9020d8ef0808bff5bc4.rb index 1a99f0b0..47aa2249 100644 --- a/lib/one_gadget/builds/libc-2.24-43adbb1e7368c94fba1ba9020d8ef0808bff5bc4.rb +++ b/lib/one_gadget/builds/libc-2.24-43adbb1e7368c94fba1ba9020d8ef0808bff5bc4.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258959, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258966, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259050, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757064, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 879333, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 879345, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-43faee19af5e1d20163c6492862fca1a4146b668.rb b/lib/one_gadget/builds/libc-2.24-43faee19af5e1d20163c6492862fca1a4146b668.rb index 11f5cb71..bef8c4eb 100644 --- a/lib/one_gadget/builds/libc-2.24-43faee19af5e1d20163c6492862fca1a4146b668.rb +++ b/lib/one_gadget/builds/libc-2.24-43faee19af5e1d20163c6492862fca1a4146b668.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254498, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254505, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254589, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706936, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836125, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 836137, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-45adab2b0ad8604e35eeea0b30d6ec1ad11642af.rb b/lib/one_gadget/builds/libc-2.24-45adab2b0ad8604e35eeea0b30d6ec1ad11642af.rb index c6132a0b..a5d9adc7 100644 --- a/lib/one_gadget/builds/libc-2.24-45adab2b0ad8604e35eeea0b30d6ec1ad11642af.rb +++ b/lib/one_gadget/builds/libc-2.24-45adab2b0ad8604e35eeea0b30d6ec1ad11642af.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258927, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258934, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259018, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756520, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878805, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878817, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-46bb6303e03d21ec9b79334370e1b39a51f883b1.rb b/lib/one_gadget/builds/libc-2.24-46bb6303e03d21ec9b79334370e1b39a51f883b1.rb index 77eddbaa..d820e139 100644 --- a/lib/one_gadget/builds/libc-2.24-46bb6303e03d21ec9b79334370e1b39a51f883b1.rb +++ b/lib/one_gadget/builds/libc-2.24-46bb6303e03d21ec9b79334370e1b39a51f883b1.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234677, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234679, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234683, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234690, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234725, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234726, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 386143, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-497931f8d2346a6d0e300a65d8fc6106c6c88c15.rb b/lib/one_gadget/builds/libc-2.24-497931f8d2346a6d0e300a65d8fc6106c6c88c15.rb index 16ba1444..e458e74f 100644 --- a/lib/one_gadget/builds/libc-2.24-497931f8d2346a6d0e300a65d8fc6106c6c88c15.rb +++ b/lib/one_gadget/builds/libc-2.24-497931f8d2346a6d0e300a65d8fc6106c6c88c15.rb @@ -19,14 +19,23 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248276, + constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 248284, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x3a8 == NULL || {x4+0x3a8, \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 248288, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x3a8 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x3a8 == NULL || {x4+0x3a8, x3+0x3b0, x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 248292, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3+0x3b0, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 248300, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 248360, - constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL"], + constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL || x22 is a valid argv"], effect: "execve(\"/bin/sh\", x22, environ)") OneGadget::Gadget.add(build_id, 398708, constraints: ["x2+0x3b0 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-4d0bb76f378375d584a373929f6d5b695f53db99.rb b/lib/one_gadget/builds/libc-2.24-4d0bb76f378375d584a373929f6d5b695f53db99.rb index 476d6d2a..b2b4040f 100644 --- a/lib/one_gadget/builds/libc-2.24-4d0bb76f378375d584a373929f6d5b695f53db99.rb +++ b/lib/one_gadget/builds/libc-2.24-4d0bb76f378375d584a373929f6d5b695f53db99.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258751, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258758, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258842, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756392, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878661, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878673, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-4dac034d41342a93593b3e18aa05f4b69c2909c9.rb b/lib/one_gadget/builds/libc-2.24-4dac034d41342a93593b3e18aa05f4b69c2909c9.rb index cc48de61..4202f45c 100644 --- a/lib/one_gadget/builds/libc-2.24-4dac034d41342a93593b3e18aa05f4b69c2909c9.rb +++ b/lib/one_gadget/builds/libc-2.24-4dac034d41342a93593b3e18aa05f4b69c2909c9.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 487597, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 487599, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 487603, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 487610, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 487645, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 487646, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 642771, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-4fa7401566d6b3e2c7ee5df3b4d85a01f85b595c.rb b/lib/one_gadget/builds/libc-2.24-4fa7401566d6b3e2c7ee5df3b4d85a01f85b595c.rb index fdbf9c27..ec15792f 100644 --- a/lib/one_gadget/builds/libc-2.24-4fa7401566d6b3e2c7ee5df3b4d85a01f85b595c.rb +++ b/lib/one_gadget/builds/libc-2.24-4fa7401566d6b3e2c7ee5df3b4d85a01f85b595c.rb @@ -19,14 +19,23 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248468, + constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 248476, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xc48 == NULL || {x4+0xc48, \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 248480, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xc48 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xc48 == NULL || {x4+0xc48, x3+0xc50, x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 248484, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3+0xc50, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 248492, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 248552, - constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL"], + constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL || x22 is a valid argv"], effect: "execve(\"/bin/sh\", x22, environ)") OneGadget::Gadget.add(build_id, 399116, constraints: ["x2+0xc50 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-5284cbfbd543755c2fa4df64a20ccb14e7ded30c.rb b/lib/one_gadget/builds/libc-2.24-5284cbfbd543755c2fa4df64a20ccb14e7ded30c.rb index d31f0777..5c97b58f 100644 --- a/lib/one_gadget/builds/libc-2.24-5284cbfbd543755c2fa4df64a20ccb14e7ded30c.rb +++ b/lib/one_gadget/builds/libc-2.24-5284cbfbd543755c2fa4df64a20ccb14e7ded30c.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233509, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233511, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233522, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233557, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233558, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385119, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-53bab59259db20458dc7d753dd2950916f6e47de.rb b/lib/one_gadget/builds/libc-2.24-53bab59259db20458dc7d753dd2950916f6e47de.rb index afa6d781..843fea6e 100644 --- a/lib/one_gadget/builds/libc-2.24-53bab59259db20458dc7d753dd2950916f6e47de.rb +++ b/lib/one_gadget/builds/libc-2.24-53bab59259db20458dc7d753dd2950916f6e47de.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234245, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234247, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234251, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234258, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234293, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234294, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 384815, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-568d20b7e0d08bc282fb42ae405c7054e4209ede.rb b/lib/one_gadget/builds/libc-2.24-568d20b7e0d08bc282fb42ae405c7054e4209ede.rb index 6b34297c..ac8e7e5c 100644 --- a/lib/one_gadget/builds/libc-2.24-568d20b7e0d08bc282fb42ae405c7054e4209ede.rb +++ b/lib/one_gadget/builds/libc-2.24-568d20b7e0d08bc282fb42ae405c7054e4209ede.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258943, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258950, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259034, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756607, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878847, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 878859, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-595aeaf311d354bbcd3f311e218f6b40fe711046.rb b/lib/one_gadget/builds/libc-2.24-595aeaf311d354bbcd3f311e218f6b40fe711046.rb index c199aecd..e914628f 100644 --- a/lib/one_gadget/builds/libc-2.24-595aeaf311d354bbcd3f311e218f6b40fe711046.rb +++ b/lib/one_gadget/builds/libc-2.24-595aeaf311d354bbcd3f311e218f6b40fe711046.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234309, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234311, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234315, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234322, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234357, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234358, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 384879, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-5a75868ead9dbb03eb4d668ff2918f341f949387.rb b/lib/one_gadget/builds/libc-2.24-5a75868ead9dbb03eb4d668ff2918f341f949387.rb index 4b2b32b1..6f5e89f3 100644 --- a/lib/one_gadget/builds/libc-2.24-5a75868ead9dbb03eb4d668ff2918f341f949387.rb +++ b/lib/one_gadget/builds/libc-2.24-5a75868ead9dbb03eb4d668ff2918f341f949387.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239292, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239294, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239298, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239305, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239340, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239341, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391013, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-5b72576ff331e93852355123afecdec70fd247b5.rb b/lib/one_gadget/builds/libc-2.24-5b72576ff331e93852355123afecdec70fd247b5.rb index 4eb7858c..b8ba826b 100644 --- a/lib/one_gadget/builds/libc-2.24-5b72576ff331e93852355123afecdec70fd247b5.rb +++ b/lib/one_gadget/builds/libc-2.24-5b72576ff331e93852355123afecdec70fd247b5.rb @@ -19,31 +19,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283935, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283942, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 284026, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 840257, - constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r13)") OneGadget::Gadget.add(build_id, 840929, - constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"], + constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL || [rbp-0x78] is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x50])") OneGadget::Gadget.add(build_id, 840933, - constraints: ["[r9] == NULL || r9 == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"], effect: "execve(\"/bin/sh\", r9, [rbp-0x50])") OneGadget::Gadget.add(build_id, 840937, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 985681, - constraints: ["[rsp+0x40] == NULL"], + constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 985693, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 989387, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.24-6194e9b483a157d38ab633a5bf3c37f9ed6b7e04.rb b/lib/one_gadget/builds/libc-2.24-6194e9b483a157d38ab633a5bf3c37f9ed6b7e04.rb index 2981650a..08314ee2 100644 --- a/lib/one_gadget/builds/libc-2.24-6194e9b483a157d38ab633a5bf3c37f9ed6b7e04.rb +++ b/lib/one_gadget/builds/libc-2.24-6194e9b483a157d38ab633a5bf3c37f9ed6b7e04.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254674, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254681, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254765, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 707144, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836605, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 836617, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-6a5885d005a0e25074da79038453af3c1bbd16a1.rb b/lib/one_gadget/builds/libc-2.24-6a5885d005a0e25074da79038453af3c1bbd16a1.rb index 7515ba79..b9923ba0 100644 --- a/lib/one_gadget/builds/libc-2.24-6a5885d005a0e25074da79038453af3c1bbd16a1.rb +++ b/lib/one_gadget/builds/libc-2.24-6a5885d005a0e25074da79038453af3c1bbd16a1.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258959, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258966, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259050, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756344, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878629, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878641, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-6a6d4ead4f4d511091e34c8baebaab04b97913e0.rb b/lib/one_gadget/builds/libc-2.24-6a6d4ead4f4d511091e34c8baebaab04b97913e0.rb index 1d9b5141..7347ae1d 100644 --- a/lib/one_gadget/builds/libc-2.24-6a6d4ead4f4d511091e34c8baebaab04b97913e0.rb +++ b/lib/one_gadget/builds/libc-2.24-6a6d4ead4f4d511091e34c8baebaab04b97913e0.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234405, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234407, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234411, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234418, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234453, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234454, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 384831, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-6d3ffad6407f2ea71f9121d761426f3a917f4216.rb b/lib/one_gadget/builds/libc-2.24-6d3ffad6407f2ea71f9121d761426f3a917f4216.rb index 6567fad5..8b837596 100644 --- a/lib/one_gadget/builds/libc-2.24-6d3ffad6407f2ea71f9121d761426f3a917f4216.rb +++ b/lib/one_gadget/builds/libc-2.24-6d3ffad6407f2ea71f9121d761426f3a917f4216.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234245, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234247, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234251, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234258, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234293, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234294, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 384815, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-6dd40dc4bc5ee908b857c00c1b2a00c58ebc1596.rb b/lib/one_gadget/builds/libc-2.24-6dd40dc4bc5ee908b857c00c1b2a00c58ebc1596.rb index d30c70ae..8fb29d46 100644 --- a/lib/one_gadget/builds/libc-2.24-6dd40dc4bc5ee908b857c00c1b2a00c58ebc1596.rb +++ b/lib/one_gadget/builds/libc-2.24-6dd40dc4bc5ee908b857c00c1b2a00c58ebc1596.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 486989, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 486991, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 486995, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 487002, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 487037, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 487038, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 642163, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-756da9d194e16bccf2c342a12d8ea01e677fcba7.rb b/lib/one_gadget/builds/libc-2.24-756da9d194e16bccf2c342a12d8ea01e677fcba7.rb index b5eb4b9c..d2912914 100644 --- a/lib/one_gadget/builds/libc-2.24-756da9d194e16bccf2c342a12d8ea01e677fcba7.rb +++ b/lib/one_gadget/builds/libc-2.24-756da9d194e16bccf2c342a12d8ea01e677fcba7.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258735, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258742, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258826, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756767, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878959, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 878971, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-7a7fafb866f1680656f7343e9d38fa76986bcfff.rb b/lib/one_gadget/builds/libc-2.24-7a7fafb866f1680656f7343e9d38fa76986bcfff.rb index 732ff7b9..f13d9a67 100644 --- a/lib/one_gadget/builds/libc-2.24-7a7fafb866f1680656f7343e9d38fa76986bcfff.rb +++ b/lib/one_gadget/builds/libc-2.24-7a7fafb866f1680656f7343e9d38fa76986bcfff.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 489965, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 489967, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 489971, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 489978, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 490013, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 490014, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 645139, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-7e0f1b3a8efe3adcf3080b20447ac4bd47aaf489.rb b/lib/one_gadget/builds/libc-2.24-7e0f1b3a8efe3adcf3080b20447ac4bd47aaf489.rb index 93e2b4ee..62bcec2b 100644 --- a/lib/one_gadget/builds/libc-2.24-7e0f1b3a8efe3adcf3080b20447ac4bd47aaf489.rb +++ b/lib/one_gadget/builds/libc-2.24-7e0f1b3a8efe3adcf3080b20447ac4bd47aaf489.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258927, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258934, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259018, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756520, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878805, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878817, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-805005b60c0c3e63eb593a5041fc9f7803e3b87d.rb b/lib/one_gadget/builds/libc-2.24-805005b60c0c3e63eb593a5041fc9f7803e3b87d.rb index e81d236f..75e4b0e1 100644 --- a/lib/one_gadget/builds/libc-2.24-805005b60c0c3e63eb593a5041fc9f7803e3b87d.rb +++ b/lib/one_gadget/builds/libc-2.24-805005b60c0c3e63eb593a5041fc9f7803e3b87d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240492, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240494, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240498, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240505, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240540, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240541, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 392117, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-856e263a6c8431b34f1ab69b55abbe453a135c52.rb b/lib/one_gadget/builds/libc-2.24-856e263a6c8431b34f1ab69b55abbe453a135c52.rb index 0fe064ae..5aec5cb7 100644 --- a/lib/one_gadget/builds/libc-2.24-856e263a6c8431b34f1ab69b55abbe453a135c52.rb +++ b/lib/one_gadget/builds/libc-2.24-856e263a6c8431b34f1ab69b55abbe453a135c52.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 489965, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 489967, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 489971, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 489978, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 490013, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 490014, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 645139, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-8a683c08dbc27e1ceab72d87cd00b5d6208f7620.rb b/lib/one_gadget/builds/libc-2.24-8a683c08dbc27e1ceab72d87cd00b5d6208f7620.rb index f5d5cce4..bf3a94a2 100644 --- a/lib/one_gadget/builds/libc-2.24-8a683c08dbc27e1ceab72d87cd00b5d6208f7620.rb +++ b/lib/one_gadget/builds/libc-2.24-8a683c08dbc27e1ceab72d87cd00b5d6208f7620.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254498, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254505, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254589, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706968, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836157, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 836169, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-8cba3297f538691eb1875be62986993c004f3f4d.rb b/lib/one_gadget/builds/libc-2.24-8cba3297f538691eb1875be62986993c004f3f4d.rb index 856358dc..c2dc5c0f 100644 --- a/lib/one_gadget/builds/libc-2.24-8cba3297f538691eb1875be62986993c004f3f4d.rb +++ b/lib/one_gadget/builds/libc-2.24-8cba3297f538691eb1875be62986993c004f3f4d.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258895, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258902, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258986, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756280, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878565, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878577, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-8eb1e49d70f349433d3d4a712b4746c73481012d.rb b/lib/one_gadget/builds/libc-2.24-8eb1e49d70f349433d3d4a712b4746c73481012d.rb index 51495011..8482cb6b 100644 --- a/lib/one_gadget/builds/libc-2.24-8eb1e49d70f349433d3d4a712b4746c73481012d.rb +++ b/lib/one_gadget/builds/libc-2.24-8eb1e49d70f349433d3d4a712b4746c73481012d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233589, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233591, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233595, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233602, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233637, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233638, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385199, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-91b0020fb992b67e3c368576943fde81e4ec7ec9.rb b/lib/one_gadget/builds/libc-2.24-91b0020fb992b67e3c368576943fde81e4ec7ec9.rb index f51e4a11..089e7392 100644 --- a/lib/one_gadget/builds/libc-2.24-91b0020fb992b67e3c368576943fde81e4ec7ec9.rb +++ b/lib/one_gadget/builds/libc-2.24-91b0020fb992b67e3c368576943fde81e4ec7ec9.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254674, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254681, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254765, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 707144, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836605, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 836617, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-9378343c5442ef04933110045638b2daafa16098.rb b/lib/one_gadget/builds/libc-2.24-9378343c5442ef04933110045638b2daafa16098.rb index 37c32816..33f88bf3 100644 --- a/lib/one_gadget/builds/libc-2.24-9378343c5442ef04933110045638b2daafa16098.rb +++ b/lib/one_gadget/builds/libc-2.24-9378343c5442ef04933110045638b2daafa16098.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391093, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-976f2a94a6a1db73c935bce8db1e5a28a46d8535.rb b/lib/one_gadget/builds/libc-2.24-976f2a94a6a1db73c935bce8db1e5a28a46d8535.rb index 06743951..7f078efb 100644 --- a/lib/one_gadget/builds/libc-2.24-976f2a94a6a1db73c935bce8db1e5a28a46d8535.rb +++ b/lib/one_gadget/builds/libc-2.24-976f2a94a6a1db73c935bce8db1e5a28a46d8535.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239292, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239294, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239298, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239305, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239340, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239341, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391013, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-980296526a2060e4e53dfa8ded76917c3f9b851c.rb b/lib/one_gadget/builds/libc-2.24-980296526a2060e4e53dfa8ded76917c3f9b851c.rb index ebedc008..428111e6 100644 --- a/lib/one_gadget/builds/libc-2.24-980296526a2060e4e53dfa8ded76917c3f9b851c.rb +++ b/lib/one_gadget/builds/libc-2.24-980296526a2060e4e53dfa8ded76917c3f9b851c.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233589, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233591, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233595, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233602, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233637, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233638, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385199, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-9a006ea92b333aa035fdecc8dc0b28e1d04edd37.rb b/lib/one_gadget/builds/libc-2.24-9a006ea92b333aa035fdecc8dc0b28e1d04edd37.rb index 71b688f0..22c5d9d0 100644 --- a/lib/one_gadget/builds/libc-2.24-9a006ea92b333aa035fdecc8dc0b28e1d04edd37.rb +++ b/lib/one_gadget/builds/libc-2.24-9a006ea92b333aa035fdecc8dc0b28e1d04edd37.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240492, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240494, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240498, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240505, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240540, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240541, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 392117, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-9ae48d5843f29af366655a00fb0636db91328abb.rb b/lib/one_gadget/builds/libc-2.24-9ae48d5843f29af366655a00fb0636db91328abb.rb index fe9cd4e0..3a54ab1b 100644 --- a/lib/one_gadget/builds/libc-2.24-9ae48d5843f29af366655a00fb0636db91328abb.rb +++ b/lib/one_gadget/builds/libc-2.24-9ae48d5843f29af366655a00fb0636db91328abb.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254498, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254505, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254589, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706911, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836077, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 836089, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-9b7db6636c9f2f03c9523b02db229741e2250550.rb b/lib/one_gadget/builds/libc-2.24-9b7db6636c9f2f03c9523b02db229741e2250550.rb index c681087e..5ce26249 100644 --- a/lib/one_gadget/builds/libc-2.24-9b7db6636c9f2f03c9523b02db229741e2250550.rb +++ b/lib/one_gadget/builds/libc-2.24-9b7db6636c9f2f03c9523b02db229741e2250550.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258751, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258758, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258842, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756424, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878693, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878705, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-9e638553dc7a08748d03c42455ecd6bb9bd8f8cd.rb b/lib/one_gadget/builds/libc-2.24-9e638553dc7a08748d03c42455ecd6bb9bd8f8cd.rb index b82e4e1b..102aa3c6 100644 --- a/lib/one_gadget/builds/libc-2.24-9e638553dc7a08748d03c42455ecd6bb9bd8f8cd.rb +++ b/lib/one_gadget/builds/libc-2.24-9e638553dc7a08748d03c42455ecd6bb9bd8f8cd.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233589, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233591, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233595, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233602, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233637, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233638, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385199, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-a4c01d397b6584f7040ef266b16a5d4da0b7a087.rb b/lib/one_gadget/builds/libc-2.24-a4c01d397b6584f7040ef266b16a5d4da0b7a087.rb index e17f044c..fd16e17c 100644 --- a/lib/one_gadget/builds/libc-2.24-a4c01d397b6584f7040ef266b16a5d4da0b7a087.rb +++ b/lib/one_gadget/builds/libc-2.24-a4c01d397b6584f7040ef266b16a5d4da0b7a087.rb @@ -19,17 +19,26 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248396, + constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x24, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 248400, - constraints: ["writable: x19+0x258", "x3+0xbb8 == NULL"], + constraints: ["writable: x19+0x258", "x3+0xbb8 == NULL || {x3+0xbb8, \"-c\", x24, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 248404, - constraints: ["writable: x19+0x258", "x3 == NULL"], + constraints: ["writable: x19+0x258", "x3 == NULL || {x3, \"-c\", x24, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x68, environ)") +OneGadget::Gadget.add(build_id, 248412, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x3 == NULL || {x3, x0+0xbc0, x24, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x68, environ)") +OneGadget::Gadget.add(build_id, 248416, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x3 == NULL || {x3, x0, x24, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 248440, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "[sp+0x68] == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "[sp+0x68] == NULL || {[sp+0x68], [sp+0x70], [sp+0x78], [sp+0x80], ...} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x68, environ)") OneGadget::Gadget.add(build_id, 248476, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "[x21] == NULL || x21 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "[x21] == NULL || x21 == NULL || x21 is a valid argv"], effect: "execve(\"/bin/sh\", x21, environ)") OneGadget::Gadget.add(build_id, 398984, constraints: ["x2+0xbc0 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-a51ace667ccae6a8887837efb18259a906704bed.rb b/lib/one_gadget/builds/libc-2.24-a51ace667ccae6a8887837efb18259a906704bed.rb index b5123f99..d311b371 100644 --- a/lib/one_gadget/builds/libc-2.24-a51ace667ccae6a8887837efb18259a906704bed.rb +++ b/lib/one_gadget/builds/libc-2.24-a51ace667ccae6a8887837efb18259a906704bed.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393909, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-a822e789c3428254f309f81600b9e5ae551a3461.rb b/lib/one_gadget/builds/libc-2.24-a822e789c3428254f309f81600b9e5ae551a3461.rb index 42976ce6..4e8cc366 100644 --- a/lib/one_gadget/builds/libc-2.24-a822e789c3428254f309f81600b9e5ae551a3461.rb +++ b/lib/one_gadget/builds/libc-2.24-a822e789c3428254f309f81600b9e5ae551a3461.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233509, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233511, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233522, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233557, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233558, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385119, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-aad7dbe330f23ea00ca63daf793b766b51aceb5d.rb b/lib/one_gadget/builds/libc-2.24-aad7dbe330f23ea00ca63daf793b766b51aceb5d.rb index 615a146f..2d87598c 100644 --- a/lib/one_gadget/builds/libc-2.24-aad7dbe330f23ea00ca63daf793b766b51aceb5d.rb +++ b/lib/one_gadget/builds/libc-2.24-aad7dbe330f23ea00ca63daf793b766b51aceb5d.rb @@ -19,31 +19,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283935, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283942, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 284026, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 843329, - constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r13)") OneGadget::Gadget.add(build_id, 844001, - constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"], + constraints: ["[[rbp-0x78]] == NULL || [rbp-0x78] == NULL || [rbp-0x78] is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x50])") OneGadget::Gadget.add(build_id, 844005, - constraints: ["[r9] == NULL || r9 == NULL", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[[rbp-0x50]] == NULL || [rbp-0x50] == NULL || [rbp-0x50] is a valid envp"], effect: "execve(\"/bin/sh\", r9, [rbp-0x50])") OneGadget::Gadget.add(build_id, 844009, - constraints: ["[r9] == NULL || r9 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r9] == NULL || r9 == NULL || r9 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r9, rdx)") OneGadget::Gadget.add(build_id, 988753, - constraints: ["[rsp+0x40] == NULL"], + constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 988765, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 992459, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.24-acd08eb60d44e32e85530f0537d46f8cd422403e.rb b/lib/one_gadget/builds/libc-2.24-acd08eb60d44e32e85530f0537d46f8cd422403e.rb index 1553d64d..75adc038 100644 --- a/lib/one_gadget/builds/libc-2.24-acd08eb60d44e32e85530f0537d46f8cd422403e.rb +++ b/lib/one_gadget/builds/libc-2.24-acd08eb60d44e32e85530f0537d46f8cd422403e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233589, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233591, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233595, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233602, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233637, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233638, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385199, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-b81a06f0ac241c4aa8860602d9abcc903adbb675.rb b/lib/one_gadget/builds/libc-2.24-b81a06f0ac241c4aa8860602d9abcc903adbb675.rb index ffd96dd5..d17b3f36 100644 --- a/lib/one_gadget/builds/libc-2.24-b81a06f0ac241c4aa8860602d9abcc903adbb675.rb +++ b/lib/one_gadget/builds/libc-2.24-b81a06f0ac241c4aa8860602d9abcc903adbb675.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239564, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239566, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239570, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239577, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239612, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239613, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391285, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-b8a944084a03aec90d871ca8a5fac48801cc064d.rb b/lib/one_gadget/builds/libc-2.24-b8a944084a03aec90d871ca8a5fac48801cc064d.rb index 54ecd742..7833cd88 100644 --- a/lib/one_gadget/builds/libc-2.24-b8a944084a03aec90d871ca8a5fac48801cc064d.rb +++ b/lib/one_gadget/builds/libc-2.24-b8a944084a03aec90d871ca8a5fac48801cc064d.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391093, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-b95a6603e6113924f82409ff65e6ed1514afd3db.rb b/lib/one_gadget/builds/libc-2.24-b95a6603e6113924f82409ff65e6ed1514afd3db.rb index c7cc26b9..0ce065dc 100644 --- a/lib/one_gadget/builds/libc-2.24-b95a6603e6113924f82409ff65e6ed1514afd3db.rb +++ b/lib/one_gadget/builds/libc-2.24-b95a6603e6113924f82409ff65e6ed1514afd3db.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254482, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254489, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254573, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706911, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836071, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 836083, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-bb0d156759d9bdfec06f5decd1c03785bcbc0ba1.rb b/lib/one_gadget/builds/libc-2.24-bb0d156759d9bdfec06f5decd1c03785bcbc0ba1.rb index 8423dea3..7a84bca0 100644 --- a/lib/one_gadget/builds/libc-2.24-bb0d156759d9bdfec06f5decd1c03785bcbc0ba1.rb +++ b/lib/one_gadget/builds/libc-2.24-bb0d156759d9bdfec06f5decd1c03785bcbc0ba1.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391093, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-bccffaa4c34e166b9c09e8802ce09989d1e8f46a.rb b/lib/one_gadget/builds/libc-2.24-bccffaa4c34e166b9c09e8802ce09989d1e8f46a.rb index 71c1a93f..cdec359f 100644 --- a/lib/one_gadget/builds/libc-2.24-bccffaa4c34e166b9c09e8802ce09989d1e8f46a.rb +++ b/lib/one_gadget/builds/libc-2.24-bccffaa4c34e166b9c09e8802ce09989d1e8f46a.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258735, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258742, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258826, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756655, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878847, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 878859, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-be6d412ecc4816c46eb49e750b02f714a9131c4e.rb b/lib/one_gadget/builds/libc-2.24-be6d412ecc4816c46eb49e750b02f714a9131c4e.rb index 78283efa..fc6c1384 100644 --- a/lib/one_gadget/builds/libc-2.24-be6d412ecc4816c46eb49e750b02f714a9131c4e.rb +++ b/lib/one_gadget/builds/libc-2.24-be6d412ecc4816c46eb49e750b02f714a9131c4e.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393909, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-c116abd24efe14f6dc2f98cef3d673934f6d66d0.rb b/lib/one_gadget/builds/libc-2.24-c116abd24efe14f6dc2f98cef3d673934f6d66d0.rb index f2e39d9d..136ada21 100644 --- a/lib/one_gadget/builds/libc-2.24-c116abd24efe14f6dc2f98cef3d673934f6d66d0.rb +++ b/lib/one_gadget/builds/libc-2.24-c116abd24efe14f6dc2f98cef3d673934f6d66d0.rb @@ -19,19 +19,19 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 438928, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 438947, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL", "[[eax]] == NULL || [eax] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv", "[[eax]] == NULL || [eax] == NULL || [eax] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x24, [eax])") OneGadget::Gadget.add(build_id, 438949, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", esp+0x28, [esp])") OneGadget::Gadget.add(build_id, 438953, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 438954, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 591648, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-c1fd7dc1c8a6915e5f7a7f24a5901a239d473f08.rb b/lib/one_gadget/builds/libc-2.24-c1fd7dc1c8a6915e5f7a7f24a5901a239d473f08.rb index 7282ae9e..336a587a 100644 --- a/lib/one_gadget/builds/libc-2.24-c1fd7dc1c8a6915e5f7a7f24a5901a239d473f08.rb +++ b/lib/one_gadget/builds/libc-2.24-c1fd7dc1c8a6915e5f7a7f24a5901a239d473f08.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391093, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-c451b072ff6aa62ba6e054c06e633fa297a3a7eb.rb b/lib/one_gadget/builds/libc-2.24-c451b072ff6aa62ba6e054c06e633fa297a3a7eb.rb index 75c31095..131161e7 100644 --- a/lib/one_gadget/builds/libc-2.24-c451b072ff6aa62ba6e054c06e633fa297a3a7eb.rb +++ b/lib/one_gadget/builds/libc-2.24-c451b072ff6aa62ba6e054c06e633fa297a3a7eb.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258751, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258758, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258842, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756392, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878661, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878673, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-c5a0679981d0258465ddba6b975c9340cbf20d22.rb b/lib/one_gadget/builds/libc-2.24-c5a0679981d0258465ddba6b975c9340cbf20d22.rb index cfad77dc..21c66991 100644 --- a/lib/one_gadget/builds/libc-2.24-c5a0679981d0258465ddba6b975c9340cbf20d22.rb +++ b/lib/one_gadget/builds/libc-2.24-c5a0679981d0258465ddba6b975c9340cbf20d22.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258751, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258758, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258842, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756383, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878629, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878641, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-c62f8c5ce9f5304f054922d39d0c0fa94d9e9531.rb b/lib/one_gadget/builds/libc-2.24-c62f8c5ce9f5304f054922d39d0c0fa94d9e9531.rb index 7ce4e248..b933be07 100644 --- a/lib/one_gadget/builds/libc-2.24-c62f8c5ce9f5304f054922d39d0c0fa94d9e9531.rb +++ b/lib/one_gadget/builds/libc-2.24-c62f8c5ce9f5304f054922d39d0c0fa94d9e9531.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240876, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240878, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240882, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240889, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240924, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240925, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393429, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-c7d3ac73ddd0865d350bd570771cf3a964a1ddbd.rb b/lib/one_gadget/builds/libc-2.24-c7d3ac73ddd0865d350bd570771cf3a964a1ddbd.rb index bb2b683c..4e88daff 100644 --- a/lib/one_gadget/builds/libc-2.24-c7d3ac73ddd0865d350bd570771cf3a964a1ddbd.rb +++ b/lib/one_gadget/builds/libc-2.24-c7d3ac73ddd0865d350bd570771cf3a964a1ddbd.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391093, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-c9133ae8d86b5d469422e0c51a19e7910ebeae41.rb b/lib/one_gadget/builds/libc-2.24-c9133ae8d86b5d469422e0c51a19e7910ebeae41.rb index f083fc6e..25911ef8 100644 --- a/lib/one_gadget/builds/libc-2.24-c9133ae8d86b5d469422e0c51a19e7910ebeae41.rb +++ b/lib/one_gadget/builds/libc-2.24-c9133ae8d86b5d469422e0c51a19e7910ebeae41.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258735, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258742, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258826, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756767, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878959, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 878971, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-cc7e13208dfc283e75a9491f8507429f647eac05.rb b/lib/one_gadget/builds/libc-2.24-cc7e13208dfc283e75a9491f8507429f647eac05.rb index 1f87c347..e12a2972 100644 --- a/lib/one_gadget/builds/libc-2.24-cc7e13208dfc283e75a9491f8507429f647eac05.rb +++ b/lib/one_gadget/builds/libc-2.24-cc7e13208dfc283e75a9491f8507429f647eac05.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254498, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254505, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254589, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 706943, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836125, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 836137, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-d2a8a8ac188a6c3bafa4813a3d2789240ee49489.rb b/lib/one_gadget/builds/libc-2.24-d2a8a8ac188a6c3bafa4813a3d2789240ee49489.rb index 20eb9955..dd275a3a 100644 --- a/lib/one_gadget/builds/libc-2.24-d2a8a8ac188a6c3bafa4813a3d2789240ee49489.rb +++ b/lib/one_gadget/builds/libc-2.24-d2a8a8ac188a6c3bafa4813a3d2789240ee49489.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241436, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241438, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241442, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241449, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241484, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241485, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393973, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-d67af93d54c07bbe5d252ef6f176ec77b866c786.rb b/lib/one_gadget/builds/libc-2.24-d67af93d54c07bbe5d252ef6f176ec77b866c786.rb index 078352c8..7cfadb70 100644 --- a/lib/one_gadget/builds/libc-2.24-d67af93d54c07bbe5d252ef6f176ec77b866c786.rb +++ b/lib/one_gadget/builds/libc-2.24-d67af93d54c07bbe5d252ef6f176ec77b866c786.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240876, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240878, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240882, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240889, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240924, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240925, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393429, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-d8ba284042773fed1189bcf927960999f4c1de55.rb b/lib/one_gadget/builds/libc-2.24-d8ba284042773fed1189bcf927960999f4c1de55.rb index 2ce71e3a..761ee79f 100644 --- a/lib/one_gadget/builds/libc-2.24-d8ba284042773fed1189bcf927960999f4c1de55.rb +++ b/lib/one_gadget/builds/libc-2.24-d8ba284042773fed1189bcf927960999f4c1de55.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 487261, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 487263, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 487267, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 487274, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 487309, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 487310, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 642435, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-da518391ad926bb7535f2095df0be265180eeed5.rb b/lib/one_gadget/builds/libc-2.24-da518391ad926bb7535f2095df0be265180eeed5.rb index 0a5f7300..3a40f3eb 100644 --- a/lib/one_gadget/builds/libc-2.24-da518391ad926bb7535f2095df0be265180eeed5.rb +++ b/lib/one_gadget/builds/libc-2.24-da518391ad926bb7535f2095df0be265180eeed5.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258751, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258758, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258842, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756424, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878693, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878705, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-dab413a7e3b33dde527af308a09a55ade6b41e84.rb b/lib/one_gadget/builds/libc-2.24-dab413a7e3b33dde527af308a09a55ade6b41e84.rb index 1947fcb2..7ce2b9c7 100644 --- a/lib/one_gadget/builds/libc-2.24-dab413a7e3b33dde527af308a09a55ade6b41e84.rb +++ b/lib/one_gadget/builds/libc-2.24-dab413a7e3b33dde527af308a09a55ade6b41e84.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258735, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258742, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258826, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756319, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878511, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 878523, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-dc799b9197929f88cebc6aa72e3be388cacfb1df.rb b/lib/one_gadget/builds/libc-2.24-dc799b9197929f88cebc6aa72e3be388cacfb1df.rb index 82ed978f..753672c6 100644 --- a/lib/one_gadget/builds/libc-2.24-dc799b9197929f88cebc6aa72e3be388cacfb1df.rb +++ b/lib/one_gadget/builds/libc-2.24-dc799b9197929f88cebc6aa72e3be388cacfb1df.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239372, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239374, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239378, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239385, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239420, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239421, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391093, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-deefae132c5a39ba892bc189edd91f73c1ea1f14.rb b/lib/one_gadget/builds/libc-2.24-deefae132c5a39ba892bc189edd91f73c1ea1f14.rb index 1eb1cc91..ac538f37 100644 --- a/lib/one_gadget/builds/libc-2.24-deefae132c5a39ba892bc189edd91f73c1ea1f14.rb +++ b/lib/one_gadget/builds/libc-2.24-deefae132c5a39ba892bc189edd91f73c1ea1f14.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258959, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258966, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259050, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756632, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878901, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878913, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-dff06414a29b97b865ef938e06a7751fe8b1b2d0.rb b/lib/one_gadget/builds/libc-2.24-dff06414a29b97b865ef938e06a7751fe8b1b2d0.rb index 3a3b9866..90d9fd3c 100644 --- a/lib/one_gadget/builds/libc-2.24-dff06414a29b97b865ef938e06a7751fe8b1b2d0.rb +++ b/lib/one_gadget/builds/libc-2.24-dff06414a29b97b865ef938e06a7751fe8b1b2d0.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 241436, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 241438, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 241442, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 241449, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 241484, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 241485, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 393973, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-e0206d9b8d7ad3abc39a94dbc37bb3b42c9f1345.rb b/lib/one_gadget/builds/libc-2.24-e0206d9b8d7ad3abc39a94dbc37bb3b42c9f1345.rb index dab4c8b9..7dea270b 100644 --- a/lib/one_gadget/builds/libc-2.24-e0206d9b8d7ad3abc39a94dbc37bb3b42c9f1345.rb +++ b/lib/one_gadget/builds/libc-2.24-e0206d9b8d7ad3abc39a94dbc37bb3b42c9f1345.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 239292, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 239294, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 239298, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 239305, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 239340, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 239341, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391013, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-e5dc6c0caa39828fa10ed37e642723a581acdb6d.rb b/lib/one_gadget/builds/libc-2.24-e5dc6c0caa39828fa10ed37e642723a581acdb6d.rb index a63467b1..61b4190d 100644 --- a/lib/one_gadget/builds/libc-2.24-e5dc6c0caa39828fa10ed37e642723a581acdb6d.rb +++ b/lib/one_gadget/builds/libc-2.24-e5dc6c0caa39828fa10ed37e642723a581acdb6d.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258943, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258950, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 259034, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 757039, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 879279, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 879291, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-e7de387eec0b57da248cc4e74edefcfcb55bd204.rb b/lib/one_gadget/builds/libc-2.24-e7de387eec0b57da248cc4e74edefcfcb55bd204.rb index f7662739..5adebe1a 100644 --- a/lib/one_gadget/builds/libc-2.24-e7de387eec0b57da248cc4e74edefcfcb55bd204.rb +++ b/lib/one_gadget/builds/libc-2.24-e7de387eec0b57da248cc4e74edefcfcb55bd204.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 487725, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 487727, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 487731, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 487738, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 487773, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 487774, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 642899, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-eaadebbded05e24bc9853c39b2241436f96d41ef.rb b/lib/one_gadget/builds/libc-2.24-eaadebbded05e24bc9853c39b2241436f96d41ef.rb index c50a8365..3577d763 100644 --- a/lib/one_gadget/builds/libc-2.24-eaadebbded05e24bc9853c39b2241436f96d41ef.rb +++ b/lib/one_gadget/builds/libc-2.24-eaadebbded05e24bc9853c39b2241436f96d41ef.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 233509, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 233511, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 233515, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 233522, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 233557, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 233558, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 385119, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-eb6b0b1e1c5cf4579e66eadb083885884dc0b648.rb b/lib/one_gadget/builds/libc-2.24-eb6b0b1e1c5cf4579e66eadb083885884dc0b648.rb index b836f826..89d09ed3 100644 --- a/lib/one_gadget/builds/libc-2.24-eb6b0b1e1c5cf4579e66eadb083885884dc0b648.rb +++ b/lib/one_gadget/builds/libc-2.24-eb6b0b1e1c5cf4579e66eadb083885884dc0b648.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 254482, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254489, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 254573, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 707343, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 836503, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 836515, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-f5ffc1b2b1282d79097f4ce84b519d326dce1247.rb b/lib/one_gadget/builds/libc-2.24-f5ffc1b2b1282d79097f4ce84b519d326dce1247.rb index 8019c31e..763c0bbb 100644 --- a/lib/one_gadget/builds/libc-2.24-f5ffc1b2b1282d79097f4ce84b519d326dce1247.rb +++ b/lib/one_gadget/builds/libc-2.24-f5ffc1b2b1282d79097f4ce84b519d326dce1247.rb @@ -19,19 +19,22 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258751, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258758, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 258842, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 756399, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 878661, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 878673, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.24-fb431a54ddae802fd1c59850cbbc408a05d3deb8.rb b/lib/one_gadget/builds/libc-2.24-fb431a54ddae802fd1c59850cbbc408a05d3deb8.rb index 030d9ff7..d2654406 100644 --- a/lib/one_gadget/builds/libc-2.24-fb431a54ddae802fd1c59850cbbc408a05d3deb8.rb +++ b/lib/one_gadget/builds/libc-2.24-fb431a54ddae802fd1c59850cbbc408a05d3deb8.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 240124, - constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 240126, - constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 240130, - constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 240137, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 240172, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 240173, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 391077, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-fc121fe8b1eaa6ea0babbc3b8ce6e12adfcc3719.rb b/lib/one_gadget/builds/libc-2.24-fc121fe8b1eaa6ea0babbc3b8ce6e12adfcc3719.rb index a8e14cce..1c75ca93 100644 --- a/lib/one_gadget/builds/libc-2.24-fc121fe8b1eaa6ea0babbc3b8ce6e12adfcc3719.rb +++ b/lib/one_gadget/builds/libc-2.24-fc121fe8b1eaa6ea0babbc3b8ce6e12adfcc3719.rb @@ -19,22 +19,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 488013, - constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x24] == NULL || {[esp+0x24], [esp+0x28], [esp+0x2c], [esp+0x30], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x24, environ)") OneGadget::Gadget.add(build_id, 488015, - constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x28] == NULL || {[esp+0x28], [esp+0x2c], [esp+0x30], [esp+0x34], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x28, environ)") OneGadget::Gadget.add(build_id, 488019, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 488026, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 488061, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 488062, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 643139, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-fd0655c4d2073eda4235084e1d0e558f0251be8a.rb b/lib/one_gadget/builds/libc-2.24-fd0655c4d2073eda4235084e1d0e558f0251be8a.rb index 13ebf3c0..0bf21fd8 100644 --- a/lib/one_gadget/builds/libc-2.24-fd0655c4d2073eda4235084e1d0e558f0251be8a.rb +++ b/lib/one_gadget/builds/libc-2.24-fd0655c4d2073eda4235084e1d0e558f0251be8a.rb @@ -19,14 +19,23 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 248092, + constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 248100, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xad0 == NULL || {x4+0xad0, \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 248104, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xad0 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0xad0 == NULL || {x4+0xad0, x3+0xad8, x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 248108, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3+0xad8, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 248116, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 248176, - constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL"], + constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL || x22 is a valid argv"], effect: "execve(\"/bin/sh\", x22, environ)") OneGadget::Gadget.add(build_id, 398468, constraints: ["x2+0xad8 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.24-fe976940471b3f683eeebb268f095b7ff1c898c1.rb b/lib/one_gadget/builds/libc-2.24-fe976940471b3f683eeebb268f095b7ff1c898c1.rb index 86082729..6ee5c76f 100644 --- a/lib/one_gadget/builds/libc-2.24-fe976940471b3f683eeebb268f095b7ff1c898c1.rb +++ b/lib/one_gadget/builds/libc-2.24-fe976940471b3f683eeebb268f095b7ff1c898c1.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 234677, - constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x2c] == NULL || {[esp+0x2c], [esp+0x30], [esp+0x34], [esp+0x38], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x2c, environ)") OneGadget::Gadget.add(build_id, 234679, - constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x30] == NULL || {[esp+0x30], [esp+0x34], [esp+0x38], [esp+0x3c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x30, environ)") OneGadget::Gadget.add(build_id, 234683, - constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 234690, - constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["ebx is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 234725, - constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["ebx is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 234726, - constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["ebx is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 386143, constraints: ["ebx is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb b/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb index c8b8034f..56a2103f 100644 --- a/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb +++ b/lib/one_gadget/builds/libc-2.25-58c735bc7b19b0aeb395cce70cf63bd62ac75e4a.rb @@ -19,28 +19,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 265092, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 265099, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 265183, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 765680, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") +OneGadget::Gadget.add(build_id, 765728, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 765738, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 765742, - constraints: ["writable: rbp-0x30", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x30", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 765750, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], [rbp-0x30], [rbp-0x28], ...} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 890131, - constraints: ["[rsp+0x80] == NULL"], + constraints: ["[rsp+0x80] == NULL || {[rsp+0x80], [rsp+0x88], [rsp+0x90], [rsp+0x98], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x80, environ)") OneGadget::Gadget.add(build_id, 890146, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.25-912fc00c0da67045111928bd5c8a350e5be18c41.rb b/lib/one_gadget/builds/libc-2.25-912fc00c0da67045111928bd5c8a350e5be18c41.rb index 84b226da..f40fe1be 100644 --- a/lib/one_gadget/builds/libc-2.25-912fc00c0da67045111928bd5c8a350e5be18c41.rb +++ b/lib/one_gadget/builds/libc-2.25-912fc00c0da67045111928bd5c8a350e5be18c41.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 246145, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 246147, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 246151, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 246158, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 246193, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 246194, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401519, constraints: ["edi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.25-e5eb6347f0629b37bf698200022a683b7efb10ed.rb b/lib/one_gadget/builds/libc-2.25-e5eb6347f0629b37bf698200022a683b7efb10ed.rb index c66be96d..b7ce4550 100644 --- a/lib/one_gadget/builds/libc-2.25-e5eb6347f0629b37bf698200022a683b7efb10ed.rb +++ b/lib/one_gadget/builds/libc-2.25-e5eb6347f0629b37bf698200022a683b7efb10ed.rb @@ -19,14 +19,23 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 250588, + constraints: ["writable: x19+0x258", "{\"sh\", \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 250596, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x7e0 == NULL || {x4+0x7e0, \"-c\", x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 250600, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x7e0 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4+0x7e0 == NULL || {x4+0x7e0, x3+0x7e8, x23, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x58, environ)") +OneGadget::Gadget.add(build_id, 250604, + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3+0x7e8, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 250612, - constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL"], + constraints: ["writable: x19+0x258", "writable: x20+0x4", "x4 == NULL || {x4, x3, x23, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x58, environ)") OneGadget::Gadget.add(build_id, 250672, - constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL"], + constraints: ["writable: x20+0x4", "[x22] == NULL || x22 == NULL || x22 is a valid argv"], effect: "execve(\"/bin/sh\", x22, environ)") OneGadget::Gadget.add(build_id, 400676, constraints: ["x2+0x7e8 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.25-eae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb b/lib/one_gadget/builds/libc-2.25-eae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb index dd6045a8..45d6e618 100644 --- a/lib/one_gadget/builds/libc-2.25-eae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb +++ b/lib/one_gadget/builds/libc-2.25-eae5038c2b9ae67d9eda345aa9fbe0a7185ab436.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 246097, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 246099, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 246103, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 246110, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 246145, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 246146, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 401983, constraints: ["edi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb b/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb index c43288f4..64619a11 100644 --- a/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb +++ b/lib/one_gadget/builds/libc-2.26-1c39b3b3faa2a2cbb0fa0b6845b29332562262d3.rb @@ -19,28 +19,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 269091, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 269098, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 269182, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 799344, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") +OneGadget::Gadget.add(build_id, 799392, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 799402, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 799406, - constraints: ["writable: rbp-0x30", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x30", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 799414, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], [rbp-0x30], [rbp-0x28], ...} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 921646, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 921658, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.26-3b850bf60461afbdd83317b248b3f687e52ff18e.rb b/lib/one_gadget/builds/libc-2.26-3b850bf60461afbdd83317b248b3f687e52ff18e.rb index 936dd252..9c1b954d 100644 --- a/lib/one_gadget/builds/libc-2.26-3b850bf60461afbdd83317b248b3f687e52ff18e.rb +++ b/lib/one_gadget/builds/libc-2.26-3b850bf60461afbdd83317b248b3f687e52ff18e.rb @@ -19,17 +19,26 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255548, + constraints: ["writable: x20+0x318", "{\"sh\", \"-c\", x25, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 255552, - constraints: ["writable: x20+0x318", "x3+0xca0 == NULL"], + constraints: ["writable: x20+0x318", "x3+0xca0 == NULL || {x3+0xca0, \"-c\", x25, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 255556, - constraints: ["writable: x20+0x318", "x3 == NULL"], + constraints: ["writable: x20+0x318", "x3 == NULL || {x3, \"-c\", x25, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x70, environ)") +OneGadget::Gadget.add(build_id, 255564, + constraints: ["writable: x19+0x4", "writable: x20+0x318", "x3 == NULL || {x3, x0+0xca8, x25, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x70, environ)") +OneGadget::Gadget.add(build_id, 255568, + constraints: ["writable: x19+0x4", "writable: x20+0x318", "x3 == NULL || {x3, x0, x25, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 255592, - constraints: ["writable: x19+0x4", "writable: x20+0x318", "[sp+0x70] == NULL"], + constraints: ["writable: x19+0x4", "writable: x20+0x318", "[sp+0x70] == NULL || {[sp+0x70], [sp+0x78], [sp+0x80], [sp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 255628, - constraints: ["writable: x19+0x4", "writable: x20+0x318", "[x21] == NULL || x21 == NULL"], + constraints: ["writable: x19+0x4", "writable: x20+0x318", "[x21] == NULL || x21 == NULL || x21 is a valid argv"], effect: "execve(\"/bin/sh\", x21, environ)") OneGadget::Gadget.add(build_id, 409132, constraints: ["x2+0xca8 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.26-499b381aaf00ce85ee5d4a12770ea369b30d2a41.rb b/lib/one_gadget/builds/libc-2.26-499b381aaf00ce85ee5d4a12770ea369b30d2a41.rb index a0a33c63..a85572fc 100644 --- a/lib/one_gadget/builds/libc-2.26-499b381aaf00ce85ee5d4a12770ea369b30d2a41.rb +++ b/lib/one_gadget/builds/libc-2.26-499b381aaf00ce85ee5d4a12770ea369b30d2a41.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 248879, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 248881, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248885, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 248892, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 248927, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 248928, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 421503, constraints: ["edi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.26-4cc84abfe1fd26a485fc2b1b954c281ce9d358fd.rb b/lib/one_gadget/builds/libc-2.26-4cc84abfe1fd26a485fc2b1b954c281ce9d358fd.rb index f7d808e8..065d2466 100644 --- a/lib/one_gadget/builds/libc-2.26-4cc84abfe1fd26a485fc2b1b954c281ce9d358fd.rb +++ b/lib/one_gadget/builds/libc-2.26-4cc84abfe1fd26a485fc2b1b954c281ce9d358fd.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 250868, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 250870, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 250874, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 250881, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 250916, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 250917, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 425551, constraints: ["edi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.26-4ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb b/lib/one_gadget/builds/libc-2.26-4ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb index aafc2515..769d577a 100644 --- a/lib/one_gadget/builds/libc-2.26-4ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb +++ b/lib/one_gadget/builds/libc-2.26-4ea852c9d6a5084b8b58509b3b3d37d3d8cddb90.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 250868, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 250870, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 250874, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 250881, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 250916, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 250917, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 425551, constraints: ["edi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb b/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb index 5e32aa7d..702d56cd 100644 --- a/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb +++ b/lib/one_gadget/builds/libc-2.26-6d2b609f0c8e7b338f767b08c5ac712fac809d31.rb @@ -19,40 +19,46 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 293951, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 293958, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 294042, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 890627, - constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rbx)") +OneGadget::Gadget.add(build_id, 890912, + constraints: ["writable: rbp-0x48", "r14 == NULL || {\"/bin/sh\", r14, NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 890922, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r14, NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 890926, - constraints: ["writable: rbp-0x40", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 890934, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], [rbp-0x40], [rbp-0x38], ...} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 891345, - constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL || [rbp-0xa0] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0xa0], [rbp-0x70])") OneGadget::Gadget.add(build_id, 891352, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])") OneGadget::Gadget.add(build_id, 891356, - constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rcx, rdx)") OneGadget::Gadget.add(build_id, 1035374, - constraints: ["[rsp+0x40] == NULL"], + constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 1035386, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 1039134, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.26-d4dd444f86cfc66c97c5e3eecb69fc5b86ea6539.rb b/lib/one_gadget/builds/libc-2.26-d4dd444f86cfc66c97c5e3eecb69fc5b86ea6539.rb index e3e36e72..e505ee66 100644 --- a/lib/one_gadget/builds/libc-2.26-d4dd444f86cfc66c97c5e3eecb69fc5b86ea6539.rb +++ b/lib/one_gadget/builds/libc-2.26-d4dd444f86cfc66c97c5e3eecb69fc5b86ea6539.rb @@ -19,17 +19,26 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 255548, + constraints: ["writable: x20+0x318", "{\"sh\", \"-c\", x25, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 255552, - constraints: ["writable: x20+0x318", "x3+0xcc0 == NULL"], + constraints: ["writable: x20+0x318", "x3+0xcc0 == NULL || {x3+0xcc0, \"-c\", x25, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 255556, - constraints: ["writable: x20+0x318", "x3 == NULL"], + constraints: ["writable: x20+0x318", "x3 == NULL || {x3, \"-c\", x25, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x70, environ)") +OneGadget::Gadget.add(build_id, 255564, + constraints: ["writable: x19+0x4", "writable: x20+0x318", "x3 == NULL || {x3, x0+0xcc8, x25, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x70, environ)") +OneGadget::Gadget.add(build_id, 255568, + constraints: ["writable: x19+0x4", "writable: x20+0x318", "x3 == NULL || {x3, x0, x25, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 255592, - constraints: ["writable: x19+0x4", "writable: x20+0x318", "[sp+0x70] == NULL"], + constraints: ["writable: x19+0x4", "writable: x20+0x318", "[sp+0x70] == NULL || {[sp+0x70], [sp+0x78], [sp+0x80], [sp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 255628, - constraints: ["writable: x19+0x4", "writable: x20+0x318", "[x21] == NULL || x21 == NULL"], + constraints: ["writable: x19+0x4", "writable: x20+0x318", "[x21] == NULL || x21 == NULL || x21 is a valid argv"], effect: "execve(\"/bin/sh\", x21, environ)") OneGadget::Gadget.add(build_id, 409132, constraints: ["x2+0xcc8 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb b/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb index 933b81fd..bb31f4dc 100644 --- a/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb +++ b/lib/one_gadget/builds/libc-2.26-ddcc13122ddbfe5e5ef77d4ebe66d124ae5762c2.rb @@ -19,40 +19,46 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 293951, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", rbx, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 293958, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 294042, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 890723, - constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rbx)") +OneGadget::Gadget.add(build_id, 891008, + constraints: ["writable: rbp-0x48", "r14 == NULL || {\"/bin/sh\", r14, NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 891018, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r14, NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 891022, - constraints: ["writable: rbp-0x40", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 891030, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], [rbp-0x40], [rbp-0x38], ...} is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, rbx)") OneGadget::Gadget.add(build_id, 891441, - constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[[rbp-0xa0]] == NULL || [rbp-0xa0] == NULL || [rbp-0xa0] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0xa0], [rbp-0x70])") OneGadget::Gadget.add(build_id, 891448, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])") OneGadget::Gadget.add(build_id, 891452, - constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rcx, rdx)") OneGadget::Gadget.add(build_id, 1035486, - constraints: ["[rsp+0x40] == NULL"], + constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 1035498, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 1039246, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb b/lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb index cd3de516..d27d5ac2 100644 --- a/lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb +++ b/lib/one_gadget/builds/libc-2.26-f65648a832414f2144ce795d75b6045a1ec2e252.rb @@ -20,22 +20,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 248879, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 248881, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248885, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 248892, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 248927, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 248928, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 421503, constraints: ["edi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb b/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb index d4a87ec5..9cf0e715 100644 --- a/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb +++ b/lib/one_gadget/builds/libc-2.26-fb587bc4429e7d1b0de31a3b9ee8ae78ee797eb0.rb @@ -19,28 +19,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 269091, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 269098, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 269182, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 799376, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") +OneGadget::Gadget.add(build_id, 799424, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 799434, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 799438, - constraints: ["writable: rbp-0x30", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x30", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 799446, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], [rbp-0x30], [rbp-0x28], ...} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 921694, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 921706, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.27-0e188ec5f09c187a7a92784d4b97aa251b15a93c.rb b/lib/one_gadget/builds/libc-2.27-0e188ec5f09c187a7a92784d4b97aa251b15a93c.rb index fbf58c09..8de55ab3 100644 --- a/lib/one_gadget/builds/libc-2.27-0e188ec5f09c187a7a92784d4b97aa251b15a93c.rb +++ b/lib/one_gadget/builds/libc-2.27-0e188ec5f09c187a7a92784d4b97aa251b15a93c.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 250067, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 250069, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 250073, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 250080, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 250115, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 250116, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 424575, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.27-14cd15d2eb0bc25c89045873cf807f7533e4788d.rb b/lib/one_gadget/builds/libc-2.27-14cd15d2eb0bc25c89045873cf807f7533e4788d.rb index 5c202584..c2c38926 100644 --- a/lib/one_gadget/builds/libc-2.27-14cd15d2eb0bc25c89045873cf807f7533e4788d.rb +++ b/lib/one_gadget/builds/libc-2.27-14cd15d2eb0bc25c89045873cf807f7533e4788d.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 250291, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 250293, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 250297, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 250304, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 250339, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 250340, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 424927, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.27-2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e.rb b/lib/one_gadget/builds/libc-2.27-2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e.rb index a184c7d4..f2682c8d 100644 --- a/lib/one_gadget/builds/libc-2.27-2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e.rb +++ b/lib/one_gadget/builds/libc-2.27-2d1c5e0b85cb06ff47fa6fa088ec22cb6e06074e.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 248922, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 248924, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248928, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 248935, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 248970, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 248971, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 422671, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb b/lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb index 8218118a..cbc21fb5 100644 --- a/lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb +++ b/lib/one_gadget/builds/libc-2.27-63b3d43ad45e1b0f601848c65b067f9e9b40528b.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 248810, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 248812, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 248816, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 248823, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 248858, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 248859, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 422559, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.27-71f0f3074a929e519e85f6a5c03a7d1fd976bfe4.rb b/lib/one_gadget/builds/libc-2.27-71f0f3074a929e519e85f6a5c03a7d1fd976bfe4.rb index a49dbfd8..a1cdef7b 100644 --- a/lib/one_gadget/builds/libc-2.27-71f0f3074a929e519e85f6a5c03a7d1fd976bfe4.rb +++ b/lib/one_gadget/builds/libc-2.27-71f0f3074a929e519e85f6a5c03a7d1fd976bfe4.rb @@ -14,31 +14,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 324247, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") +OneGadget::Gadget.add(build_id, 324254, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 324261, - constraints: ["rsp & 0xf == 0", "rcx == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 324354, - constraints: ["[rsp+0x40] == NULL"], + constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 938831, - constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rbx)") OneGadget::Gadget.add(build_id, 939255, - constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL || [rbp-0x88] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x88], [rbp-0x70])") OneGadget::Gadget.add(build_id, 939262, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])") OneGadget::Gadget.add(build_id, 939266, - constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rcx, rdx)") -OneGadget::Gadget.add(build_id, 939325, - constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], - effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") OneGadget::Gadget.add(build_id, 1090300, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1090312, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb b/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb index fdfdcfee..8ddaff37 100644 --- a/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb +++ b/lib/one_gadget/builds/libc-2.27-73cd526a553b3b47c6dd0d6dc62175263cdc646e.rb @@ -14,22 +14,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 271543, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 271550, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 271634, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 806271, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") +OneGadget::Gadget.add(build_id, 806318, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 806325, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 929870, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 929882, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb b/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb index ee407894..0b42da18 100644 --- a/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb +++ b/lib/one_gadget/builds/libc-2.27-9dd0bb57f81671704475d1e5163405f7b4d4b454.rb @@ -14,22 +14,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 271367, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 271374, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 271458, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 806783, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") +OneGadget::Gadget.add(build_id, 806830, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 806837, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 930286, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 930298, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.27-a5e88eb34369fb48113b9eda7a92e07b372f3cb7.rb b/lib/one_gadget/builds/libc-2.27-a5e88eb34369fb48113b9eda7a92e07b372f3cb7.rb index 513bd0a1..dd4f2a6a 100644 --- a/lib/one_gadget/builds/libc-2.27-a5e88eb34369fb48113b9eda7a92e07b372f3cb7.rb +++ b/lib/one_gadget/builds/libc-2.27-a5e88eb34369fb48113b9eda7a92e07b372f3cb7.rb @@ -14,22 +14,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 271655, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 271662, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 271746, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 806383, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") +OneGadget::Gadget.add(build_id, 806430, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 806437, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 929982, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 929994, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb b/lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb index ec137730..cc7a386c 100644 --- a/lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb +++ b/lib/one_gadget/builds/libc-2.27-b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0.rb @@ -14,28 +14,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 324279, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") +OneGadget::Gadget.add(build_id, 324286, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 324293, - constraints: ["rsp & 0xf == 0", "rcx == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 324386, - constraints: ["[rsp+0x40] == NULL"], + constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 939679, - constraints: ["[r14] == NULL || r14 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r14] == NULL || r14 == NULL || r14 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r14, r12)") OneGadget::Gadget.add(build_id, 940120, - constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL || [rbp-0x88] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x88], [rbp-0x70])") OneGadget::Gadget.add(build_id, 940127, - constraints: ["[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 940131, - constraints: ["[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") OneGadget::Gadget.add(build_id, 1090444, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1090456, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.27-ba63c4a5f5c2b51e6e7e5df94017dc98b20e397a.rb b/lib/one_gadget/builds/libc-2.27-ba63c4a5f5c2b51e6e7e5df94017dc98b20e397a.rb index b465dfba..155ced52 100644 --- a/lib/one_gadget/builds/libc-2.27-ba63c4a5f5c2b51e6e7e5df94017dc98b20e397a.rb +++ b/lib/one_gadget/builds/libc-2.27-ba63c4a5f5c2b51e6e7e5df94017dc98b20e397a.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 249322, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 249324, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249328, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 249335, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 249370, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 249371, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 423071, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb b/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb index 25916cd3..fb3aa9a3 100644 --- a/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb +++ b/lib/one_gadget/builds/libc-2.27-ce450eb01a5e5acc7ce7b8c2633b02cc1093339e.rb @@ -14,31 +14,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 324551, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") +OneGadget::Gadget.add(build_id, 324558, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 324565, - constraints: ["rsp & 0xf == 0", "rcx == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 324658, - constraints: ["[rsp+0x40] == NULL"], + constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 939119, - constraints: ["[r13] == NULL || r13 == NULL", "[rbx] == NULL || rbx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rbx] == NULL || rbx == NULL || rbx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rbx)") OneGadget::Gadget.add(build_id, 939543, - constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL || [rbp-0x88] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x88], [rbp-0x70])") OneGadget::Gadget.add(build_id, 939550, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])") OneGadget::Gadget.add(build_id, 939554, - constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rcx, rdx)") -OneGadget::Gadget.add(build_id, 939613, - constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], - effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") OneGadget::Gadget.add(build_id, 1090588, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1090600, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.27-cf1599aa8b3cb35f79dcaea7a8b48704ecf42a19.rb b/lib/one_gadget/builds/libc-2.27-cf1599aa8b3cb35f79dcaea7a8b48704ecf42a19.rb index 6b97ee93..f71f19d4 100644 --- a/lib/one_gadget/builds/libc-2.27-cf1599aa8b3cb35f79dcaea7a8b48704ecf42a19.rb +++ b/lib/one_gadget/builds/libc-2.27-cf1599aa8b3cb35f79dcaea7a8b48704ecf42a19.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 250147, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 250149, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 250153, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 250160, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 250195, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 250196, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 424783, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb b/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb index 3aaedd1a..fe2535bd 100644 --- a/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb +++ b/lib/one_gadget/builds/libc-2.27-d1237c55f6778f53b369cf22ff81979b2fe340bb.rb @@ -14,22 +14,28 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 271431, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 271438, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 271522, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 806895, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") +OneGadget::Gadget.add(build_id, 806942, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 806949, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 930462, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 930474, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.27-d3cf764b2f97ac3efe366ddd07ad902fb6928fd7.rb b/lib/one_gadget/builds/libc-2.27-d3cf764b2f97ac3efe366ddd07ad902fb6928fd7.rb index a141c8a2..5d13c9e6 100644 --- a/lib/one_gadget/builds/libc-2.27-d3cf764b2f97ac3efe366ddd07ad902fb6928fd7.rb +++ b/lib/one_gadget/builds/libc-2.27-d3cf764b2f97ac3efe366ddd07ad902fb6928fd7.rb @@ -14,28 +14,34 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 324439, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") +OneGadget::Gadget.add(build_id, 324446, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 324453, - constraints: ["rsp & 0xf == 0", "rcx == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x50", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 324546, - constraints: ["[rsp+0x40] == NULL"], + constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 939775, - constraints: ["[r14] == NULL || r14 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r14] == NULL || r14 == NULL || r14 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r14, r12)") OneGadget::Gadget.add(build_id, 940216, - constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[[rbp-0x88]] == NULL || [rbp-0x88] == NULL || [rbp-0x88] is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", [rbp-0x88], [rbp-0x70])") OneGadget::Gadget.add(build_id, 940223, - constraints: ["[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 940227, - constraints: ["[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") OneGadget::Gadget.add(build_id, 1090652, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1090664, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.27-d831493b564a8632d1da5cc0fe44af45713cfeb6.rb b/lib/one_gadget/builds/libc-2.27-d831493b564a8632d1da5cc0fe44af45713cfeb6.rb index b710532f..fd5c4dc1 100644 --- a/lib/one_gadget/builds/libc-2.27-d831493b564a8632d1da5cc0fe44af45713cfeb6.rb +++ b/lib/one_gadget/builds/libc-2.27-d831493b564a8632d1da5cc0fe44af45713cfeb6.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 250531, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 250533, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 250537, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 250544, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 250579, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 250580, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 425167, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.27-f4929d2a8af4629477103af6f1cfb3bebce80883.rb b/lib/one_gadget/builds/libc-2.27-f4929d2a8af4629477103af6f1cfb3bebce80883.rb index 64c5c52e..256c8b21 100644 --- a/lib/one_gadget/builds/libc-2.27-f4929d2a8af4629477103af6f1cfb3bebce80883.rb +++ b/lib/one_gadget/builds/libc-2.27-f4929d2a8af4629477103af6f1cfb3bebce80883.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 249066, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 249068, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 249072, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 249079, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 249114, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 249115, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 422815, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.28-26b3c1a40c8a0bd026975a262774bf52aec55107.rb b/lib/one_gadget/builds/libc-2.28-26b3c1a40c8a0bd026975a262774bf52aec55107.rb index 2bc06538..a4b573b0 100644 --- a/lib/one_gadget/builds/libc-2.28-26b3c1a40c8a0bd026975a262774bf52aec55107.rb +++ b/lib/one_gadget/builds/libc-2.28-26b3c1a40c8a0bd026975a262774bf52aec55107.rb @@ -14,14 +14,23 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 258248, + constraints: ["writable: x20+0x360", "{\"sh\", \"-c\", x24, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x70, environ)") +OneGadget::Gadget.add(build_id, 258252, + constraints: ["writable: x20+0x360", "x4+0x430 == NULL || {x4+0x430, \"-c\", x24, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 258256, - constraints: ["writable: x20+0x360", "x4+0x430 == NULL"], + constraints: ["writable: x20+0x360", "x4+0x430 == NULL || {x4+0x430, x3+0x438, x24, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", sp+0x70, environ)") +OneGadget::Gadget.add(build_id, 258260, + constraints: ["writable: x20+0x360", "x4 == NULL || {x4, x3+0x438, x24, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 258264, - constraints: ["writable: x20+0x360", "x4 == NULL"], + constraints: ["writable: x20+0x360", "x4 == NULL || {x4, x3, x24, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", sp+0x70, environ)") OneGadget::Gadget.add(build_id, 258328, - constraints: ["writable: x19+0x4", "writable: x20+0x360", "[x21] == NULL || x21 == NULL"], + constraints: ["writable: x19+0x4", "writable: x20+0x360", "[x21] == NULL || x21 == NULL || x21 is a valid argv"], effect: "execve(\"/bin/sh\", x21, environ)") OneGadget::Gadget.add(build_id, 409712, constraints: ["x2+0x438 == NULL"], diff --git a/lib/one_gadget/builds/libc-2.28-44f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb b/lib/one_gadget/builds/libc-2.28-44f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb index 08e221c0..316e25fa 100644 --- a/lib/one_gadget/builds/libc-2.28-44f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb +++ b/lib/one_gadget/builds/libc-2.28-44f5a3efb0e5733fa9d97e690cb36cd4c682bcdb.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 256230, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 256232, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 256236, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 256243, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 256278, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 256279, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 429851, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb b/lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb index 9011bf64..6e21f717 100644 --- a/lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb +++ b/lib/one_gadget/builds/libc-2.28-5784a31a1c26f6d2157e585205ebb63dd19ff90f.rb @@ -15,22 +15,22 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 257699, - constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x34] == NULL || {[esp+0x34], [esp+0x38], [esp+0x3c], [esp+0x40], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x34, environ)") OneGadget::Gadget.add(build_id, 257701, - constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x38] == NULL || {[esp+0x38], [esp+0x3c], [esp+0x40], [esp+0x44], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x38, environ)") OneGadget::Gadget.add(build_id, 257705, - constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x3c] == NULL || {[esp+0x3c], [esp+0x40], [esp+0x44], [esp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x3c, environ)") OneGadget::Gadget.add(build_id, 257712, - constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL"], + constraints: ["esi is the GOT address of libc", "[esp+0x40] == NULL || {[esp+0x40], [esp+0x44], [esp+0x48], [esp+0x4c], ...} is a valid argv"], effect: "execve(\"/bin/sh\", esp+0x40, environ)") OneGadget::Gadget.add(build_id, 257747, - constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL", "[[esp]] == NULL || [esp] == NULL"], + constraints: ["esi is the GOT address of libc", "[eax] == NULL || eax == NULL || eax is a valid argv", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid envp"], effect: "execve(\"/bin/sh\", eax, [esp])") OneGadget::Gadget.add(build_id, 257748, - constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL", "[[esp+0x4]] == NULL || [esp+0x4] == NULL"], + constraints: ["esi is the GOT address of libc", "[[esp]] == NULL || [esp] == NULL || [esp] is a valid argv", "[[esp+0x4]] == NULL || [esp+0x4] == NULL || [esp+0x4] is a valid envp"], effect: "execve(\"/bin/sh\", [esp], [esp+0x4])") OneGadget::Gadget.add(build_id, 433019, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb b/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb index 96e1e244..6f0b315d 100644 --- a/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb +++ b/lib/one_gadget/builds/libc-2.28-5b157f49586a3ca84d55837f97ff466767dd3445.rb @@ -14,43 +14,46 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 328056, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") +OneGadget::Gadget.add(build_id, 328063, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 328070, - constraints: ["rsp & 0xf == 0", "rcx == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 328163, - constraints: ["[rsp+0x40] == NULL"], + constraints: ["[rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x40, environ)") OneGadget::Gadget.add(build_id, 328175, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 913902, - constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r13)") OneGadget::Gadget.add(build_id, 913905, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 913908, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 914335, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])") OneGadget::Gadget.add(build_id, 914339, - constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rcx, rdx)") +OneGadget::Gadget.add(build_id, 914411, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r13)") OneGadget::Gadget.add(build_id, 914421, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r13)") OneGadget::Gadget.add(build_id, 914425, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r13)") -OneGadget::Gadget.add(build_id, 914483, - constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], - effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") -OneGadget::Gadget.add(build_id, 914487, - constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x50", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], - effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") OneGadget::Gadget.add(build_id, 1064784, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") diff --git a/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb b/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb index 015105b8..c66de83a 100644 --- a/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb +++ b/lib/one_gadget/builds/libc-2.28-65ed813688b116fdce9e866ad2fef2e734167337.rb @@ -14,31 +14,37 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 283129, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283136, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283220, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 283232, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 823386, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 823389, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 823392, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 823472, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 823482, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 823486, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 947760, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb b/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb index 2c7e0915..33b9a524 100644 --- a/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb +++ b/lib/one_gadget/builds/libc-2.28-6ee9454b96efa9e343f9e8105f2fa4529265ea05.rb @@ -14,31 +14,37 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 281400, + constraints: ["writable: rsp+0x40", "{\"sh\", \"-c\", r12, NULL} is a valid argv"], + effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 281407, - constraints: ["rax == NULL"], + constraints: ["writable: rsp+0x40", "rax == NULL || {rax, \"-c\", r12, NULL} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 281491, - constraints: ["[rsp+0x30] == NULL"], + constraints: ["[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x30, environ)") OneGadget::Gadget.add(build_id, 281503, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") OneGadget::Gadget.add(build_id, 816106, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 816109, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 816112, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 816191, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 816201, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 816205, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 939838, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") diff --git a/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb b/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb index 85aa65b1..20b7dd08 100644 --- a/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb +++ b/lib/one_gadget/builds/libc-2.29-5b7203920d3d786ac40af8e0d5104683335f11be.rb @@ -14,37 +14,61 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 292108, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 292116, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 292125, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 292130, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 292135, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 292147, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 477205, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 477210, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 477215, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 477227, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 477236, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 826170, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 826173, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 826176, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 826259, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 826266, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 826273, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 949339, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 949351, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb b/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb index 85ac0358..5028af29 100644 --- a/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb +++ b/lib/one_gadget/builds/libc-2.29-85d5020664b11fd2708859275de41d5ab9d104cf.rb @@ -14,37 +14,61 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 291228, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 291236, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 291245, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 291250, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 291255, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 291267, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 474333, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 474340, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 474343, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 474355, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 474362, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 824730, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 824733, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 824736, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 824815, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 824825, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 824829, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 948598, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 948610, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb b/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb index 66b0d717..d9bf024c 100644 --- a/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb +++ b/lib/one_gadget/builds/libc-2.29-a8af6c81cb28a37bf3a546970bf64224402f8bd4.rb @@ -14,37 +14,61 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 292108, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 292116, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 292125, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 292130, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 292135, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 292147, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 477205, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 477210, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 477215, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 477227, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 477236, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 826618, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 826621, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 826624, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 826707, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 826714, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 826721, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 949803, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 949815, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb b/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb index 7526fa65..d0ca3a38 100644 --- a/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb +++ b/lib/one_gadget/builds/libc-2.29-c19c88c33b60742ca906e0f9f96fe31b8b79ea9c.rb @@ -14,37 +14,61 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 281228, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 281236, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 281245, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbp, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 281250, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 281255, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 281267, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 465965, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 465972, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 465975, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 465987, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 465994, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 819914, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 819917, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 819920, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 820000, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 820010, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 820014, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 944400, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 944412, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb b/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb index 5df62b7e..002a53db 100644 --- a/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb +++ b/lib/one_gadget/builds/libc-2.29-d561ec515222887a1e004555981169199d841024.rb @@ -14,52 +14,70 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 339051, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", r12, NULL} is a valid argv", "rbx == NULL || (u16)[rbx] == NULL"], + effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbx, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 339058, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, r12, NULL} is a valid argv", "rbx == NULL || (u16)[rbx] == NULL"], + effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbx, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 339072, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, r12, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbx, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 339077, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbx, r8, environ)") OneGadget::Gadget.add(build_id, 339093, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbx == NULL || (u16)[rbx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbx, r8, environ)") OneGadget::Gadget.add(build_id, 339096, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x8", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 539133, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 539140, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 539143, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 539162, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 539182, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x28", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 539189, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x28", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 926158, - constraints: ["[r15] == NULL || r15 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r13)") OneGadget::Gadget.add(build_id, 926161, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 926164, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 926591, - constraints: ["[rcx] == NULL || rcx == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rcx, [rbp-0x70])") OneGadget::Gadget.add(build_id, 926595, - constraints: ["[rcx] == NULL || rcx == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rcx] == NULL || rcx == NULL || rcx is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rcx, rdx)") +OneGadget::Gadget.add(build_id, 926667, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r13)") OneGadget::Gadget.add(build_id, 926677, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r13)") OneGadget::Gadget.add(build_id, 926681, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r13)") -OneGadget::Gadget.add(build_id, 926739, - constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x80", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], - effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") -OneGadget::Gadget.add(build_id, 926743, - constraints: ["writable: [rbp-0x78]+0x10", "writable: rbp-0x50", "[[rbp-0x78]] == NULL || [rbp-0x78] == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], - effect: "execve(\"/bin/sh\", [rbp-0x78], [rbp-0x70])") OneGadget::Gadget.add(build_id, 1076984, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1076996, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.30-00854a16b9b4b73893627ccb730d97907837e320.rb b/lib/one_gadget/builds/libc-2.30-00854a16b9b4b73893627ccb730d97907837e320.rb index 06dff3a4..72cd5a66 100644 --- a/lib/one_gadget/builds/libc-2.30-00854a16b9b4b73893627ccb730d97907837e320.rb +++ b/lib/one_gadget/builds/libc-2.30-00854a16b9b4b73893627ccb730d97907837e320.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 833099, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1331075, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb b/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb index 001d1807..4ec29c71 100644 --- a/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb +++ b/lib/one_gadget/builds/libc-2.30-2155f455ad56bd871c8225bcca85ee25c1c197c4.rb @@ -14,61 +14,94 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 348403, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r12 == NULL || (u16)[r12] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r12, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348410, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "r12 == NULL || (u16)[r12] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r12, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348422, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm1 == NULL || {\"sh\", (u64)xmm1, rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 348436, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 348446, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, r8, [rax])") +OneGadget::Gadget.add(build_id, 553381, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553388, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553395, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553398, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553403, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553408, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553420, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 553426, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 553433, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 553440, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 553443, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, r9)") OneGadget::Gadget.add(build_id, 944542, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 944545, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 944548, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 945043, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 945046, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 945154, + constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945161, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945168, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945223, + constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945233, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945237, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 945245, - constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 1093545, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1093557, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb b/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb index 103bbc29..cf9c995e 100644 --- a/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb +++ b/lib/one_gadget/builds/libc-2.30-33d1f350f13728651d74dd2a56bad1e4e4648f5e.rb @@ -14,37 +14,61 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 298476, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 298484, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 298493, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 298498, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 298503, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 298515, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 486805, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 486810, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 486815, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 486827, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 486836, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 840618, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 840621, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 840624, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 840707, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 840714, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 840721, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 962475, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 962487, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb b/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb index 3ad8c5ad..2b25b999 100644 --- a/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb +++ b/lib/one_gadget/builds/libc-2.30-7a1e2ae26cef50584af2c60a5ad3a7ae3e9b1446.rb @@ -14,37 +14,61 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 298476, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 298484, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 298493, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 298498, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 298503, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 298515, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 486805, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 486810, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 486815, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 486827, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 486836, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 840618, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 840621, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 840624, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 840707, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 840714, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 840721, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 962475, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 962487, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.30-884362aa891ab565e4cf904cd60be984a7941acd.rb b/lib/one_gadget/builds/libc-2.30-884362aa891ab565e4cf904cd60be984a7941acd.rb index b2573542..5c9e9549 100644 --- a/lib/one_gadget/builds/libc-2.30-884362aa891ab565e4cf904cd60be984a7941acd.rb +++ b/lib/one_gadget/builds/libc-2.30-884362aa891ab565e4cf904cd60be984a7941acd.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 833099, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1331107, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.30-c0a4471ee8f24f2ecc0ad1ccbd4633fa6fa36654.rb b/lib/one_gadget/builds/libc-2.30-c0a4471ee8f24f2ecc0ad1ccbd4633fa6fa36654.rb index 6ed96016..a8cfd348 100644 --- a/lib/one_gadget/builds/libc-2.30-c0a4471ee8f24f2ecc0ad1ccbd4633fa6fa36654.rb +++ b/lib/one_gadget/builds/libc-2.30-c0a4471ee8f24f2ecc0ad1ccbd4633fa6fa36654.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 840475, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1343435, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.30-c60a7605ae87b9b40426e3123b12a91bfe2036f3.rb b/lib/one_gadget/builds/libc-2.30-c60a7605ae87b9b40426e3123b12a91bfe2036f3.rb index 96c3b746..c73bdebd 100644 --- a/lib/one_gadget/builds/libc-2.30-c60a7605ae87b9b40426e3123b12a91bfe2036f3.rb +++ b/lib/one_gadget/builds/libc-2.30-c60a7605ae87b9b40426e3123b12a91bfe2036f3.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 840475, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1343387, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb b/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb index 1b981caf..024425fb 100644 --- a/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb +++ b/lib/one_gadget/builds/libc-2.30-cbe9cff3c43b979739af1681b61a3d585725577b.rb @@ -14,61 +14,94 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 348403, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r12 == NULL || (u16)[r12] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r12, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348410, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "r12 == NULL || (u16)[r12] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r12, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348422, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm1 == NULL || {\"sh\", (u64)xmm1, rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 348436, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 348446, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "r12 == NULL || (u16)[r12] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, r12, r8, [rax])") +OneGadget::Gadget.add(build_id, 553381, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553388, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553395, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553398, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553403, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553408, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553420, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 553426, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 553433, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 553440, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 553443, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, r9)") OneGadget::Gadget.add(build_id, 944542, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 944545, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 944548, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 945043, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 945046, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 945154, + constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945161, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945168, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945223, + constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945233, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945237, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 945245, - constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 1093433, - constraints: ["[rsp+0x70] == NULL"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x70, environ)") OneGadget::Gadget.add(build_id, 1093445, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb b/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb index 75dbc5d9..2b186f60 100644 --- a/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb +++ b/lib/one_gadget/builds/libc-2.30-f07144cc3d0ac50415f3a2e061be6da672c914ba.rb @@ -14,37 +14,61 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 300668, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 300676, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 300685, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 300690, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 300695, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 300707, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 491573, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 491578, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 491583, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 491595, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 491604, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 846513, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 846516, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 846519, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846602, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846609, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846616, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 970123, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 970135, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb b/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb index 542d5669..9878ca56 100644 --- a/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb +++ b/lib/one_gadget/builds/libc-2.30-f44469d65b4efd2e5951513ed7cbf773657f1283.rb @@ -14,37 +14,61 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 300668, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 300676, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 300685, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 300690, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 300695, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 300707, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 491573, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 491578, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 491583, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 491595, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 491604, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 846513, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 846516, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 846519, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846602, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846609, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846616, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 970075, - constraints: ["[rsp+0x60] == NULL"], + constraints: ["[rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv"], effect: "execve(\"/bin/sh\", rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 970087, - constraints: ["[rsi] == NULL || rsi == NULL", "[[rax]] == NULL || [rax] == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp"], effect: "execve(\"/bin/sh\", rsi, [rax])") diff --git a/lib/one_gadget/builds/libc-2.31-012f3f1e614cb9c829b8d1590d228cc6a9506a03.rb b/lib/one_gadget/builds/libc-2.31-012f3f1e614cb9c829b8d1590d228cc6a9506a03.rb index e14e574c..9ef441d3 100644 --- a/lib/one_gadget/builds/libc-2.31-012f3f1e614cb9c829b8d1590d228cc6a9506a03.rb +++ b/lib/one_gadget/builds/libc-2.31-012f3f1e614cb9c829b8d1590d228cc6a9506a03.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 826283, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1329163, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb b/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb index 0051b551..853be6bb 100644 --- a/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb +++ b/lib/one_gadget/builds/libc-2.31-099b9225bcb0d019d9d60884be583eb31bb5f44e.rb @@ -14,67 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 348027, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348034, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 348041, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348048, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 348053, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348069, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 348074, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 348077, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 348082, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 553653, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553660, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553667, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553670, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553675, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553680, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553692, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 553698, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 553705, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 553712, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 945278, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 945281, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 945284, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 945779, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 945782, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 945890, + constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945897, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945904, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945959, + constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945969, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945973, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 945981, - constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 1091370, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1091378, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1091383, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1091393, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb b/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb index 2d419def..ec475587 100644 --- a/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb +++ b/lib/one_gadget/builds/libc-2.31-0d1b3211736c4ca528a32ea0d565d41a2ede3b58.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 299518, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 299528, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 299535, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 299540, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 299545, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 299557, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487925, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 487930, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 487935, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 487947, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487956, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 841530, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 841533, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 841536, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 841619, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 841626, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 841633, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 962362, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 962370, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 962375, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 962385, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-0df979b8b244294bbc29bbe8f7f6dd6bf89c6820.rb b/lib/one_gadget/builds/libc-2.31-0df979b8b244294bbc29bbe8f7f6dd6bf89c6820.rb index 414520d4..3b63d248 100644 --- a/lib/one_gadget/builds/libc-2.31-0df979b8b244294bbc29bbe8f7f6dd6bf89c6820.rb +++ b/lib/one_gadget/builds/libc-2.31-0df979b8b244294bbc29bbe8f7f6dd6bf89c6820.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 837611, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1334659, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb b/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb index b2bebac2..db7ef440 100644 --- a/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb +++ b/lib/one_gadget/builds/libc-2.31-12e412d1938ec3ff79751f0e85f31bc52f7e3722.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 298140, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 298148, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 298157, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 298162, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 298167, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 298179, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487029, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 487034, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 487039, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 487051, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487060, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 841002, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 841005, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 841008, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 841091, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 841098, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 841105, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 963538, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 963546, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 963551, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 963561, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-2886817dc06a87bdeef50544c0d6c12de13a8148.rb b/lib/one_gadget/builds/libc-2.31-2886817dc06a87bdeef50544c0d6c12de13a8148.rb index 2965e5e2..1d8856ce 100644 --- a/lib/one_gadget/builds/libc-2.31-2886817dc06a87bdeef50544c0d6c12de13a8148.rb +++ b/lib/one_gadget/builds/libc-2.31-2886817dc06a87bdeef50544c0d6c12de13a8148.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 287412, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 287422, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 287429, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 287434, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 287439, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 287451, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 478821, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 478826, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 478831, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 478843, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 478852, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 834305, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 834308, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 834311, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 834394, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 834401, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 834408, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 958594, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 958602, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 958607, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 958617, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb b/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb index 16a3b5bd..69711842 100644 --- a/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb +++ b/lib/one_gadget/builds/libc-2.31-4d4d0853eb075b8b0cfaee0aee7cdf4254a3e877.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 300292, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 300302, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 300309, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 300314, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 300319, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 300331, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 491701, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 491706, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 491711, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 491723, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 491732, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 847169, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 847172, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 847175, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 847258, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 847265, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 847272, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 971458, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 971466, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 971471, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 971481, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-58a58f2fcdafddacb4a08439ea2ee163ff645d1d.rb b/lib/one_gadget/builds/libc-2.31-58a58f2fcdafddacb4a08439ea2ee163ff645d1d.rb index 75d4c4bc..3f6e1724 100644 --- a/lib/one_gadget/builds/libc-2.31-58a58f2fcdafddacb4a08439ea2ee163ff645d1d.rb +++ b/lib/one_gadget/builds/libc-2.31-58a58f2fcdafddacb4a08439ea2ee163ff645d1d.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 821515, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1318755, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb b/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb index 9c7d2ca7..fd36be17 100644 --- a/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb +++ b/lib/one_gadget/builds/libc-2.31-634252e0c5f8b03957a2e529719d4101699a894a.rb @@ -14,67 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 348027, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348034, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 348041, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348048, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 348053, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 348069, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 348074, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 348077, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 348082, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 553653, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553660, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553667, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553670, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 553675, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553680, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 553692, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 553698, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 553705, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 553712, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 944878, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 944881, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 944884, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 945379, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 945382, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 945490, + constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945497, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945504, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945559, + constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 945569, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 945573, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 945581, - constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 1090970, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1090978, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1090983, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1090993, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-6b143503744b9d6c22e479941488d6a9e6e3f1c5.rb b/lib/one_gadget/builds/libc-2.31-6b143503744b9d6c22e479941488d6a9e6e3f1c5.rb index ff633e87..446ee767 100644 --- a/lib/one_gadget/builds/libc-2.31-6b143503744b9d6c22e479941488d6a9e6e3f1c5.rb +++ b/lib/one_gadget/builds/libc-2.31-6b143503744b9d6c22e479941488d6a9e6e3f1c5.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 826299, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1329195, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.31-6c6ea8a57519f219a10c9d6a6d199dd813680226.rb b/lib/one_gadget/builds/libc-2.31-6c6ea8a57519f219a10c9d6a6d199dd813680226.rb index 5b642aea..25b958d8 100644 --- a/lib/one_gadget/builds/libc-2.31-6c6ea8a57519f219a10c9d6a6d199dd813680226.rb +++ b/lib/one_gadget/builds/libc-2.31-6c6ea8a57519f219a10c9d6a6d199dd813680226.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 842379, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1345083, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb b/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb index 9a726e67..a3c8232a 100644 --- a/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb +++ b/lib/one_gadget/builds/libc-2.31-6dbad1709854c527793f6401666e45a791b7c793.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 298140, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 298148, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", 0, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 298157, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 298162, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 298167, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 298179, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487029, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 487034, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 487039, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 487051, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487060, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 841002, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 841005, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 841008, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 841091, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 841098, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 841105, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 963538, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 963546, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 963551, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 963561, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-85d7bb2dad0f8172d1c02c0311a00c4695933beb.rb b/lib/one_gadget/builds/libc-2.31-85d7bb2dad0f8172d1c02c0311a00c4695933beb.rb index 1159f00c..29f82782 100644 --- a/lib/one_gadget/builds/libc-2.31-85d7bb2dad0f8172d1c02c0311a00c4695933beb.rb +++ b/lib/one_gadget/builds/libc-2.31-85d7bb2dad0f8172d1c02c0311a00c4695933beb.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 838059, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1335107, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.31-8629fa2eea681f639a0c18305d4548850dde3450.rb b/lib/one_gadget/builds/libc-2.31-8629fa2eea681f639a0c18305d4548850dde3450.rb index 075f47e4..469d50f3 100644 --- a/lib/one_gadget/builds/libc-2.31-8629fa2eea681f639a0c18305d4548850dde3450.rb +++ b/lib/one_gadget/builds/libc-2.31-8629fa2eea681f639a0c18305d4548850dde3450.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 821515, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1318771, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.31-94761ae31db09ce9140ca55cb6986a5ea9110abc.rb b/lib/one_gadget/builds/libc-2.31-94761ae31db09ce9140ca55cb6986a5ea9110abc.rb index 49e40270..8ba0999f 100644 --- a/lib/one_gadget/builds/libc-2.31-94761ae31db09ce9140ca55cb6986a5ea9110abc.rb +++ b/lib/one_gadget/builds/libc-2.31-94761ae31db09ce9140ca55cb6986a5ea9110abc.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 287364, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 287374, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 287381, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 287386, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 287391, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 287403, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 478725, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 478730, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 478735, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 478747, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 478756, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 834193, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 834196, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 834199, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 834282, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 834289, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 834296, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 958482, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 958490, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 958495, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 958505, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-9fdb74e7b217d06c93172a8243f8547f947ee6d1.rb b/lib/one_gadget/builds/libc-2.31-9fdb74e7b217d06c93172a8243f8547f947ee6d1.rb index 1633e3af..88f377a9 100644 --- a/lib/one_gadget/builds/libc-2.31-9fdb74e7b217d06c93172a8243f8547f947ee6d1.rb +++ b/lib/one_gadget/builds/libc-2.31-9fdb74e7b217d06c93172a8243f8547f947ee6d1.rb @@ -14,67 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 335403, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 335410, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 335417, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 335424, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 335429, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 335445, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 335450, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 335453, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 335458, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 541029, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 541036, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 541043, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 541046, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 541051, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 541056, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 541068, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 541074, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 541081, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 541088, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 932654, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 932657, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 932660, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 933155, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 933158, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 933266, + constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 933273, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 933280, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 933335, + constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 933345, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 933349, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 933357, - constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 1078746, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1078754, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1078759, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1078769, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-c9d56de82ddd00d822d6100034f3075ef1709cd2.rb b/lib/one_gadget/builds/libc-2.31-c9d56de82ddd00d822d6100034f3075ef1709cd2.rb index f2309212..8582ed61 100644 --- a/lib/one_gadget/builds/libc-2.31-c9d56de82ddd00d822d6100034f3075ef1709cd2.rb +++ b/lib/one_gadget/builds/libc-2.31-c9d56de82ddd00d822d6100034f3075ef1709cd2.rb @@ -14,67 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 335355, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 335362, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 335369, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 335376, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 335381, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 335397, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 335402, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 335405, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 335410, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 540981, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 540988, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 540995, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 540998, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 541003, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 541008, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 541020, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 541026, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 541033, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 541040, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 932606, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 932609, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 932612, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 933107, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 933110, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 933218, + constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 933225, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 933232, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 933287, + constraints: ["writable: rbp-0x50", "[rbp-0x68] == NULL || {\"/bin/sh\", [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 933297, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 933301, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 933309, - constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x48", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r10, r12)") OneGadget::Gadget.add(build_id, 1078698, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1078706, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1078711, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1078721, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb b/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb index 287e70ce..91fab787 100644 --- a/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb +++ b/lib/one_gadget/builds/libc-2.31-e67e80e70619717709e3180e552a11a285036a54.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 299630, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 299640, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 299647, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 299652, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 299657, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 299669, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 488037, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 488042, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 488047, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 488059, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 488068, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 841642, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 841645, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 841648, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 841731, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 841738, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 841745, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 962474, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 962482, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 962487, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 962497, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb b/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb index 41a2cd1b..d669037d 100644 --- a/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb +++ b/lib/one_gadget/builds/libc-2.31-eb3c5cf73a0a6b7f2b3895a56dbc443806700971.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 300292, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "r13 == NULL || (u16)[r13] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, r13, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 300302, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 300309, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 300314, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 300319, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 300331, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 491701, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 491706, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 491711, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 491723, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 491732, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 846769, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 846772, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 846775, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846858, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846865, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846872, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 971058, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 971066, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 971071, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 971081, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.31-fb7626dd8b8a50f7685920487e992528834f6775.rb b/lib/one_gadget/builds/libc-2.31-fb7626dd8b8a50f7685920487e992528834f6775.rb index 3f9c87d4..b43efa18 100644 --- a/lib/one_gadget/builds/libc-2.31-fb7626dd8b8a50f7685920487e992528834f6775.rb +++ b/lib/one_gadget/builds/libc-2.31-fb7626dd8b8a50f7685920487e992528834f6775.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 842827, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL", "[esi] == NULL || esi == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv", "[esi] == NULL || esi == NULL || esi is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x2c], esi)") OneGadget::Gadget.add(build_id, 1345531, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.32-0e5c8d8738927eb715941480b3726fa764cc50ed.rb b/lib/one_gadget/builds/libc-2.32-0e5c8d8738927eb715941480b3726fa764cc50ed.rb index 9138c02d..f36e85ab 100644 --- a/lib/one_gadget/builds/libc-2.32-0e5c8d8738927eb715941480b3726fa764cc50ed.rb +++ b/lib/one_gadget/builds/libc-2.32-0e5c8d8738927eb715941480b3726fa764cc50ed.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 843712, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 843715, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1358179, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb b/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb index 2d8b05b1..e6aea3d0 100644 --- a/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb +++ b/lib/one_gadget/builds/libc-2.32-1e3fb06b8c86b5e282e3e11bd207d399fb4952e2.rb @@ -14,70 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 327009, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327016, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 327023, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327030, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 327035, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327051, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 327056, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 327059, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 327064, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 526533, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526540, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526547, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526550, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526555, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526560, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526572, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 526578, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 526585, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 526592, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 914284, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 914287, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 914290, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 914773, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 914777, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 914879, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 914886, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 914893, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 914948, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 914955, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 914962, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 914966, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1056410, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1056418, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1056423, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1056433, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb b/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb index f4543d4d..5ab05bd8 100644 --- a/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb +++ b/lib/one_gadget/builds/libc-2.32-7ec3e74da842ca3c6a9ba20b21303ce1bc7a45af.rb @@ -14,70 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 327489, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327496, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 327503, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327510, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 327515, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327531, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 327536, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 327539, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 327544, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 527013, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527020, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527027, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527030, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527035, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527040, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527052, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 527058, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 527065, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 527072, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 914764, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 914767, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 914770, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 915253, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915257, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 915359, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 915366, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 915373, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 915428, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915435, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915442, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915446, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1056890, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1056898, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1056903, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1056913, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb b/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb index 204213b6..e2cf3af2 100644 --- a/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb +++ b/lib/one_gadget/builds/libc-2.32-7fba7abef941659c229c2636aa0905c28652ee3f.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 305864, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 305874, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 305881, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 305886, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 305891, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 305903, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490453, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 490458, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 490463, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 490475, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490484, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 846702, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 846705, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 846708, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846791, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846798, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846805, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 968906, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 968914, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 968919, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 968929, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb b/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb index 01d46a68..c5d648b3 100644 --- a/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb +++ b/lib/one_gadget/builds/libc-2.32-82f6b69e698bb579baefb35a3fb0346632fa2c4d.rb @@ -14,70 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 327489, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327496, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 327503, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327510, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 327515, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327531, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 327536, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 327539, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 327544, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 527013, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527020, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527027, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527030, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527035, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527040, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527052, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 527058, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 527065, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 527072, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 914764, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 914767, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 914770, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 915253, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915257, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 915359, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 915366, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 915373, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 915428, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915435, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915442, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915446, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1056890, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1056898, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1056903, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1056913, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb b/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb index 9d945a49..e100c5c2 100644 --- a/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb +++ b/lib/one_gadget/builds/libc-2.32-87f011a7e4cc3fc60a54d0d3dd690e7438decc8d.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 304072, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 304082, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 304089, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 304094, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 304099, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 304111, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487573, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 487578, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 487583, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 487595, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487604, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 842330, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 842333, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 842336, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842419, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 842426, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 842433, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 963114, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 963122, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 963127, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 963137, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.32-92199dd358616182fb49c992330fb05e42eaa423.rb b/lib/one_gadget/builds/libc-2.32-92199dd358616182fb49c992330fb05e42eaa423.rb index 1128239c..e6c137ef 100644 --- a/lib/one_gadget/builds/libc-2.32-92199dd358616182fb49c992330fb05e42eaa423.rb +++ b/lib/one_gadget/builds/libc-2.32-92199dd358616182fb49c992330fb05e42eaa423.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 843712, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 843715, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1358307, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.32-9d60d4bd625a7fe2439db781a5fc91bb69684903.rb b/lib/one_gadget/builds/libc-2.32-9d60d4bd625a7fe2439db781a5fc91bb69684903.rb index 03ec38f4..5aeaee64 100644 --- a/lib/one_gadget/builds/libc-2.32-9d60d4bd625a7fe2439db781a5fc91bb69684903.rb +++ b/lib/one_gadget/builds/libc-2.32-9d60d4bd625a7fe2439db781a5fc91bb69684903.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 843712, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 843715, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1358307, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.32-a75b0c335a4987f12d17d3b4adb8dc430432b082.rb b/lib/one_gadget/builds/libc-2.32-a75b0c335a4987f12d17d3b4adb8dc430432b082.rb index 7d2f3972..fc6eac97 100644 --- a/lib/one_gadget/builds/libc-2.32-a75b0c335a4987f12d17d3b4adb8dc430432b082.rb +++ b/lib/one_gadget/builds/libc-2.32-a75b0c335a4987f12d17d3b4adb8dc430432b082.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 848880, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 848883, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1370827, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb b/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb index f19e15f9..bb508c69 100644 --- a/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb +++ b/lib/one_gadget/builds/libc-2.32-ac287babd169c70013b752da2713dfb96d9a503f.rb @@ -14,70 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 327489, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327496, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 327503, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327510, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 327515, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 327531, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 327536, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 327539, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 327544, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 527013, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527020, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527027, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527030, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527035, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527040, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527052, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 527058, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 527065, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 527072, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 914764, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 914767, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 914770, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 915253, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915257, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 915359, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 915366, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 915373, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 915428, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915435, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915442, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 915446, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1056890, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1056898, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1056903, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1056913, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.32-aebd80372a00285a5c486ef72917f935eb8f91be.rb b/lib/one_gadget/builds/libc-2.32-aebd80372a00285a5c486ef72917f935eb8f91be.rb index 71b71c4b..c1509329 100644 --- a/lib/one_gadget/builds/libc-2.32-aebd80372a00285a5c486ef72917f935eb8f91be.rb +++ b/lib/one_gadget/builds/libc-2.32-aebd80372a00285a5c486ef72917f935eb8f91be.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 843328, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 843331, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1357923, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.32-bd0e9dc4e27475b5ab7dc59141daaa2626b8a760.rb b/lib/one_gadget/builds/libc-2.32-bd0e9dc4e27475b5ab7dc59141daaa2626b8a760.rb index 501ea457..d0dd4433 100644 --- a/lib/one_gadget/builds/libc-2.32-bd0e9dc4e27475b5ab7dc59141daaa2626b8a760.rb +++ b/lib/one_gadget/builds/libc-2.32-bd0e9dc4e27475b5ab7dc59141daaa2626b8a760.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 848496, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 848499, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1370571, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.32-bddeb6374fc99723cef3b3baafe48ac78fce13b4.rb b/lib/one_gadget/builds/libc-2.32-bddeb6374fc99723cef3b3baafe48ac78fce13b4.rb index 0cf5065e..b767dc93 100644 --- a/lib/one_gadget/builds/libc-2.32-bddeb6374fc99723cef3b3baafe48ac78fce13b4.rb +++ b/lib/one_gadget/builds/libc-2.32-bddeb6374fc99723cef3b3baafe48ac78fce13b4.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 848880, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 848883, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1370955, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb b/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb index c5bee1db..cdd0604f 100644 --- a/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb +++ b/lib/one_gadget/builds/libc-2.32-cb91dd613d38b806a16bed1b364c084ad63d1a1f.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 305368, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 305378, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 305385, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 305390, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 305395, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 305407, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 489957, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 489962, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 489967, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 489979, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 489988, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 846206, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 846209, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 846212, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846295, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846302, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846309, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 968410, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 968418, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 968423, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 968433, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.32-d3f1cf7f55b985fd6d989880ec3599724fe40a26.rb b/lib/one_gadget/builds/libc-2.32-d3f1cf7f55b985fd6d989880ec3599724fe40a26.rb index e724e2f5..edfcb245 100644 --- a/lib/one_gadget/builds/libc-2.32-d3f1cf7f55b985fd6d989880ec3599724fe40a26.rb +++ b/lib/one_gadget/builds/libc-2.32-d3f1cf7f55b985fd6d989880ec3599724fe40a26.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 848880, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 848883, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1370955, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb b/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb index 05d9183f..3c807c0f 100644 --- a/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb +++ b/lib/one_gadget/builds/libc-2.32-e13b24f94b260dd6394bdb2433d2a78e37078d5c.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 305864, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 305874, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 305881, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 305886, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 305891, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 305903, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490453, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 490458, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 490463, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 490475, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490484, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 846702, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 846705, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 846708, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846791, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846798, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846805, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 968906, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 968914, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 968919, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 968929, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb b/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb index ba3d49f8..295bfcdb 100644 --- a/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb +++ b/lib/one_gadget/builds/libc-2.32-e1596c76d0d93d8a36378ba976f034f140618d59.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 305864, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 305874, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 305881, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 305886, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 305891, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 305903, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490453, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 490458, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 490463, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 490475, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490484, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 846702, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 846705, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 846708, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 846791, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846798, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 846805, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 968906, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 968914, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 968919, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 968929, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb b/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb index 9b2f650e..59e0575e 100644 --- a/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb +++ b/lib/one_gadget/builds/libc-2.32-f45b67ab28af1581cba8e4713e0fd3b2bc004b2e.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 304072, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 304082, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 304089, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 304094, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 304099, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 304111, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487573, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 487578, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 487583, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 487595, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 487604, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 842330, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 842333, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 842336, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842419, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 842426, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 842433, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 963114, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 963122, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 963127, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 963137, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb b/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb index a906e3e9..017d4b4c 100644 --- a/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb +++ b/lib/one_gadget/builds/libc-2.33-18edf6b683a2f9768cc0ee9cc64ae6fbb545deb2.rb @@ -14,70 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 325073, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 325080, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 325087, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 325094, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 325099, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 325115, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 325120, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 325123, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 325128, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 526053, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526060, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526067, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526070, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526075, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526080, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526092, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 526098, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 526105, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 526112, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 911132, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 911135, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 911138, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 911621, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911625, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 911727, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 911734, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 911741, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 911796, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911803, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911810, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911814, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1052858, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1052866, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1052871, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1052881, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-1c943bf313b5b4546e47b830e70de6bbd6a0ba57.rb b/lib/one_gadget/builds/libc-2.33-1c943bf313b5b4546e47b830e70de6bbd6a0ba57.rb index c1cd645a..5c9ad6b0 100644 --- a/lib/one_gadget/builds/libc-2.33-1c943bf313b5b4546e47b830e70de6bbd6a0ba57.rb +++ b/lib/one_gadget/builds/libc-2.33-1c943bf313b5b4546e47b830e70de6bbd6a0ba57.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 840640, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 840643, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1357363, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb b/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb index 3e86947f..6cae3418 100644 --- a/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb +++ b/lib/one_gadget/builds/libc-2.33-2b48299781548c9bc452eac6df39902547c884ed.rb @@ -14,70 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 325073, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 325080, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 325087, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 325094, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 325099, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 325115, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 325120, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 325123, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 325128, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 526053, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526060, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526067, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526070, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526075, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526080, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526092, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 526098, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 526105, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 526112, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 911244, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 911247, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 911250, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 911733, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911737, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 911839, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 911846, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 911853, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 911908, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911915, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911922, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911926, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1052906, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1052914, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1052919, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1052929, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb b/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb index e78bf67d..30716de2 100644 --- a/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb +++ b/lib/one_gadget/builds/libc-2.33-37169e68b33cad12e272bb4896d71fd0d4fd98bb.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 303704, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 303714, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 303721, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 303726, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 303731, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 303743, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 488949, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 488954, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 488959, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 488971, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 488980, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 842382, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 842385, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 842388, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842471, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 842478, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 842485, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 964842, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 964850, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 964855, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 964865, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb b/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb index d0167d58..e2ef4e8f 100644 --- a/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb +++ b/lib/one_gadget/builds/libc-2.33-54a6e404e7dc1de7c1434a00b7b1ad325b81f22a.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 302248, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 302258, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 302265, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 302270, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 302275, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 302287, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 485861, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 485866, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 485871, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 485883, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 485892, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 838682, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 838685, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 838688, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 838771, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 838778, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 838785, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 959850, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 959858, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 959863, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 959873, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb b/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb index 59bffcdd..c2a4c455 100644 --- a/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb +++ b/lib/one_gadget/builds/libc-2.33-7983d313db4a441a3762c8861ca405aa0331c0c8.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 303704, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 303714, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 303721, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 303726, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 303731, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 303743, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 488949, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 488954, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 488959, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 488971, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 488980, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 842238, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 842241, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 842244, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842327, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 842334, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 842341, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 964698, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 964706, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 964711, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 964721, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-8fdc2b2c65f3d782e52c01b546399eee8aa466dc.rb b/lib/one_gadget/builds/libc-2.33-8fdc2b2c65f3d782e52c01b546399eee8aa466dc.rb index b8e844be..44f2d63c 100644 --- a/lib/one_gadget/builds/libc-2.33-8fdc2b2c65f3d782e52c01b546399eee8aa466dc.rb +++ b/lib/one_gadget/builds/libc-2.33-8fdc2b2c65f3d782e52c01b546399eee8aa466dc.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 840576, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 840579, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1357603, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.33-9143da129b44b931a1c180e2b103e993dd2474fd.rb b/lib/one_gadget/builds/libc-2.33-9143da129b44b931a1c180e2b103e993dd2474fd.rb index abc2137a..56ad3b7a 100644 --- a/lib/one_gadget/builds/libc-2.33-9143da129b44b931a1c180e2b103e993dd2474fd.rb +++ b/lib/one_gadget/builds/libc-2.33-9143da129b44b931a1c180e2b103e993dd2474fd.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 846000, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 846003, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1370395, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb b/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb index bf010999..281273eb 100644 --- a/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb +++ b/lib/one_gadget/builds/libc-2.33-97c8d90bd86bc698d156630e8803de433a640090.rb @@ -14,70 +14,109 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 325057, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 325064, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 325071, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 325078, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 325083, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 325099, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 325104, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 325107, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 325112, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 526053, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526060, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526067, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526070, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 526075, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526080, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 526092, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 526098, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 526105, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x60, [rax])") +OneGadget::Gadget.add(build_id, 526112, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 911244, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 911247, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 911250, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 911733, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911737, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 911839, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 911846, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") OneGadget::Gadget.add(build_id, 911853, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 911908, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911915, - constraints: ["writable: rbp-0x48", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911922, - constraints: ["writable: rbp-0x50", "[rbp-0x50] == NULL || rbp-0x50 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") OneGadget::Gadget.add(build_id, 911926, - constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1052938, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1052946, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1052951, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1052961, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb b/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb index d21a96eb..b42ea6e4 100644 --- a/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb +++ b/lib/one_gadget/builds/libc-2.33-9bf4c513db255ab7248cef9f0f96b4403df29852.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 303704, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 303714, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 303721, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 303726, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 303731, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 303743, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 488933, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 488938, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 488943, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 488955, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 488964, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 842382, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 842385, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 842388, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 842471, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 842478, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 842485, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 964842, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 964850, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 964855, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 964865, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb b/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb index 16388488..47ab9af0 100644 --- a/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb +++ b/lib/one_gadget/builds/libc-2.33-9e592d3efa165bc2bab8b40426370bd50cb0b027.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 302248, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 302258, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 302265, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 302270, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 302275, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 302287, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 485925, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 485930, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 485935, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 485947, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 485956, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 838938, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 838941, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 838944, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 839027, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 839034, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 839041, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 960106, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 960114, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 960119, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 960129, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb b/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb index 10290964..d3a8da05 100644 --- a/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb +++ b/lib/one_gadget/builds/libc-2.33-abf3b2a9815c0cd6e4280cd99474d34102804eb2.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 302248, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 302258, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 302265, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 302270, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 302275, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 302287, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 485925, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 485930, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 485935, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 485947, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 485956, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 838938, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 838941, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 838944, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 839027, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 839034, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 839041, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 960106, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 960114, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 960119, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 960129, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb b/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb index 738c0450..25d5f946 100644 --- a/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb +++ b/lib/one_gadget/builds/libc-2.33-b046eecd056a0c30995703f6cfca7a8e3a9ef5fa.rb @@ -14,43 +14,67 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 302248, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 302258, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 302265, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 302270, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 302275, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 302287, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 485925, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 485930, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 485935, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 485947, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 485956, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 838938, - constraints: ["[r12] == NULL || r12 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", r12, r13)") OneGadget::Gadget.add(build_id, 838941, - constraints: ["[r12] == NULL || r12 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r12] == NULL || r12 == NULL || r12 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r12, rdx)") OneGadget::Gadget.add(build_id, 838944, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 839027, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 839034, - constraints: ["writable: rbp-0x38", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 839041, - constraints: ["writable: rbp-0x40", "[rbp-0x40] == NULL || rbp-0x40 == NULL", "[r13] == NULL || r13 == NULL"], + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 960106, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 960114, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 960119, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 960129, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.33-b2262bfa6f1bffd1e9ddc845276dfaebb7c8f0b9.rb b/lib/one_gadget/builds/libc-2.33-b2262bfa6f1bffd1e9ddc845276dfaebb7c8f0b9.rb index ecc3a022..48070e2f 100644 --- a/lib/one_gadget/builds/libc-2.33-b2262bfa6f1bffd1e9ddc845276dfaebb7c8f0b9.rb +++ b/lib/one_gadget/builds/libc-2.33-b2262bfa6f1bffd1e9ddc845276dfaebb7c8f0b9.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 840688, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 840691, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1357523, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.33-f462ab2b79c7f29fb866da6e087e45261570a09c.rb b/lib/one_gadget/builds/libc-2.33-f462ab2b79c7f29fb866da6e087e45261570a09c.rb index 7d3a9d79..7438bdab 100644 --- a/lib/one_gadget/builds/libc-2.33-f462ab2b79c7f29fb866da6e087e45261570a09c.rb +++ b/lib/one_gadget/builds/libc-2.33-f462ab2b79c7f29fb866da6e087e45261570a09c.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 845936, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 845939, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1369851, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.33-f4af69206091c7f14a941f2dd77a79a7682a1184.rb b/lib/one_gadget/builds/libc-2.33-f4af69206091c7f14a941f2dd77a79a7682a1184.rb index 4fa7ac00..4ec8c650 100644 --- a/lib/one_gadget/builds/libc-2.33-f4af69206091c7f14a941f2dd77a79a7682a1184.rb +++ b/lib/one_gadget/builds/libc-2.33-f4af69206091c7f14a941f2dd77a79a7682a1184.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 846000, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 846003, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1370043, constraints: ["ebp is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.34-140609514178a4bb96a3cd44ffdfede398a77610.rb b/lib/one_gadget/builds/libc-2.34-140609514178a4bb96a3cd44ffdfede398a77610.rb index 57989f9a..96b73696 100644 --- a/lib/one_gadget/builds/libc-2.34-140609514178a4bb96a3cd44ffdfede398a77610.rb +++ b/lib/one_gadget/builds/libc-2.34-140609514178a4bb96a3cd44ffdfede398a77610.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 902864, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 902867, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1494977, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.34-25594d4b6cbecda86ec968fa940c6c09937db70f.rb b/lib/one_gadget/builds/libc-2.34-25594d4b6cbecda86ec968fa940c6c09937db70f.rb index 07fd7388..cc278010 100644 --- a/lib/one_gadget/builds/libc-2.34-25594d4b6cbecda86ec968fa940c6c09937db70f.rb +++ b/lib/one_gadget/builds/libc-2.34-25594d4b6cbecda86ec968fa940c6c09937db70f.rb @@ -14,37 +14,70 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 307913, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 307923, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 307930, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 307935, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 307940, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 307952, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490357, + constraints: ["writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 490364, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490367, + constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 490379, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490386, + constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 490407, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 893550, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 893553, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 893556, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 893639, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 893646, + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 893653, + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 1014858, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1014866, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1014871, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1014881, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.34-387920279e1c7892042ff27d76315d55e4651db9.rb b/lib/one_gadget/builds/libc-2.34-387920279e1c7892042ff27d76315d55e4651db9.rb index d6cc5d12..cf9f4456 100644 --- a/lib/one_gadget/builds/libc-2.34-387920279e1c7892042ff27d76315d55e4651db9.rb +++ b/lib/one_gadget/builds/libc-2.34-387920279e1c7892042ff27d76315d55e4651db9.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 908704, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 908707, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1509937, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.34-7e46fbc4d85f5df8b6f18630787ad281786a3512.rb b/lib/one_gadget/builds/libc-2.34-7e46fbc4d85f5df8b6f18630787ad281786a3512.rb index 2d4c3b4b..823c2ed2 100644 --- a/lib/one_gadget/builds/libc-2.34-7e46fbc4d85f5df8b6f18630787ad281786a3512.rb +++ b/lib/one_gadget/builds/libc-2.34-7e46fbc4d85f5df8b6f18630787ad281786a3512.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 925056, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 925059, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1526097, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.34-8d631c824a37b236d1dc9686b224a573fd6048b4.rb b/lib/one_gadget/builds/libc-2.34-8d631c824a37b236d1dc9686b224a573fd6048b4.rb index afec7c33..cb12ac38 100644 --- a/lib/one_gadget/builds/libc-2.34-8d631c824a37b236d1dc9686b224a573fd6048b4.rb +++ b/lib/one_gadget/builds/libc-2.34-8d631c824a37b236d1dc9686b224a573fd6048b4.rb @@ -14,8 +14,11 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 919216, + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x34] == NULL || {\"/bin/sh\", [ebp-0x34], NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], + effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 919219, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[ebp-0x28] == NULL || ebp-0x28 == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "eax == NULL || {\"/bin/sh\", eax, NULL} is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", ebp-0x28, [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1511121, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.34-b8037b6260865346802321dd2256b8ad1d857e63.rb b/lib/one_gadget/builds/libc-2.34-b8037b6260865346802321dd2256b8ad1d857e63.rb index e071cdb6..2a85219e 100644 --- a/lib/one_gadget/builds/libc-2.34-b8037b6260865346802321dd2256b8ad1d857e63.rb +++ b/lib/one_gadget/builds/libc-2.34-b8037b6260865346802321dd2256b8ad1d857e63.rb @@ -14,55 +14,106 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 345986, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 345993, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 346000, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 346007, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 346012, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 346028, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 346033, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 346036, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 346041, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 543797, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 543804, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 543811, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 543814, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 543819, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 543824, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 543829, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 543834, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 543854, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 978124, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 978127, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 978130, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 978613, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 978617, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 978719, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 978726, + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 978733, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 978788, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 978795, + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 978802, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 978806, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1117482, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1117490, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1117495, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1117505, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.34-ba4777827fe1fb729ca35acd99c8013936172a0d.rb b/lib/one_gadget/builds/libc-2.34-ba4777827fe1fb729ca35acd99c8013936172a0d.rb index a04b4c3a..ee989c78 100644 --- a/lib/one_gadget/builds/libc-2.34-ba4777827fe1fb729ca35acd99c8013936172a0d.rb +++ b/lib/one_gadget/builds/libc-2.34-ba4777827fe1fb729ca35acd99c8013936172a0d.rb @@ -14,37 +14,70 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 324297, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 324307, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 324314, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 324319, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 324324, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 324336, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 506709, + constraints: ["writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 506716, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 506719, + constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 506731, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 506738, + constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 506759, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 909902, - constraints: ["[r13] == NULL || r13 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r13, r12)") OneGadget::Gadget.add(build_id, 909905, - constraints: ["[r13] == NULL || r13 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r13] == NULL || r13 == NULL || r13 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r13, rdx)") OneGadget::Gadget.add(build_id, 909908, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 909991, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 909998, + constraints: ["writable: rbp-0x38", "rax == NULL || {rax, rdi, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") +OneGadget::Gadget.add(build_id, 910005, + constraints: ["writable: rbp-0x40", "rax == NULL || {rax, [rbp-0x38], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r12)") OneGadget::Gadget.add(build_id, 1031210, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1031218, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1031223, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1031233, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.34-f0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb b/lib/one_gadget/builds/libc-2.34-f0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb index 38bb7003..59094c8c 100644 --- a/lib/one_gadget/builds/libc-2.34-f0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb +++ b/lib/one_gadget/builds/libc-2.34-f0fc29165cbe6088c0e1adf03b0048fbecbc003a.rb @@ -14,55 +14,106 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 329602, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 329609, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 329616, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 329623, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 329628, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0xc, \"/bin/sh\", rdx, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 329644, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x50, [rax])") OneGadget::Gadget.add(build_id, 329649, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 329652, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 329657, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 527445, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527452, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527459, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527462, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527467, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527472, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527477, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527482, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, r8, environ)") +OneGadget::Gadget.add(build_id, 527502, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 961772, - constraints: ["[r15] == NULL || r15 == NULL", "[r12] == NULL || r12 == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], effect: "execve(\"/bin/sh\", r15, r12)") OneGadget::Gadget.add(build_id, 961775, - constraints: ["[r15] == NULL || r15 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[r15] == NULL || r15 == NULL || r15 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r15, rdx)") OneGadget::Gadget.add(build_id, 961778, - constraints: ["[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") OneGadget::Gadget.add(build_id, 962261, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 962265, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") +OneGadget::Gadget.add(build_id, 962367, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 962374, + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 962381, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 962436, + constraints: ["writable: rbp-0x48", "rbx == NULL || {\"/bin/sh\", rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 962443, + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, rbx, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 962450, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 962454, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1101130, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1101138, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1101143, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1101153, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.35-89c3cb85f9e55046776471fed05ec441581d1969.rb b/lib/one_gadget/builds/libc-2.35-89c3cb85f9e55046776471fed05ec441581d1969.rb index f16aeb76..eb968389 100644 --- a/lib/one_gadget/builds/libc-2.35-89c3cb85f9e55046776471fed05ec441581d1969.rb +++ b/lib/one_gadget/builds/libc-2.35-89c3cb85f9e55046776471fed05ec441581d1969.rb @@ -14,49 +14,91 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 330281, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbp, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 330288, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbp, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 330295, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", 0, rbp, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 330302, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, (u64)xmm3, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", rdx, rbp, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 330307, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm3, rbx, NULL} is a valid argv", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rsp+0x1c, \"/bin/sh\", rdx, rbp, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 330323, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, rsp+0x60, [rax])") OneGadget::Gadget.add(build_id, 330328, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rbp == NULL || (u16)[rbp] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rbp, r8, [rax])") +OneGadget::Gadget.add(build_id, 330331, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") OneGadget::Gadget.add(build_id, 330336, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "[[rax]] == NULL || [rax] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "[[rax]] == NULL || [rax] == NULL || [rax] is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, [rax])") +OneGadget::Gadget.add(build_id, 527413, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527420, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527427, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527430, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x70", "rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") +OneGadget::Gadget.add(build_id, 527435, + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527440, - constraints: ["rsp & 0xf == 0", "rcx == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527445, - constraints: ["rsp & 0xf == 0", "(u64)xmm0 == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "(u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 527450, - constraints: ["rsp & 0xf == 0", "[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["rsp & 0xf == 0", "writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, 0, r8, environ)") OneGadget::Gadget.add(build_id, 965873, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 965877, - constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", r10, rdx)") OneGadget::Gadget.add(build_id, 965880, - constraints: ["writable: rbp-0x78", "[rsi] == NULL || rsi == NULL", "[rdx] == NULL || rdx == NULL"], + constraints: ["writable: rbp-0x78", "[rsi] == NULL || rsi == NULL || rsi is a valid argv", "[rdx] == NULL || rdx == NULL || rdx is a valid envp"], effect: "execve(\"/bin/sh\", rsi, rdx)") +OneGadget::Gadget.add(build_id, 965970, + constraints: ["writable: rbp-0x48", "r13 == NULL || {\"/bin/sh\", r13, NULL} is a valid argv", "[r12] == NULL || r12 == NULL || r12 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, r12)") +OneGadget::Gadget.add(build_id, 966056, + constraints: ["writable: rbp-0x48", "r12 == NULL || {\"/bin/sh\", r12, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 966063, + constraints: ["writable: rbp-0x48", "rax == NULL || {rax, r12, NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 966067, + constraints: ["writable: rbp-0x50", "rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x50, [rbp-0x70])") +OneGadget::Gadget.add(build_id, 966071, + constraints: ["writable: r10+0x10", "writable: rbp-0x50", "[r10] == NULL || r10 == NULL || r10 is a valid argv", "[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp"], + effect: "execve(\"/bin/sh\", r10, [rbp-0x70])") OneGadget::Gadget.add(build_id, 1104834, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1104842, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x40] == NULL || (s32)[[rsp+0x40]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x40], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1104847, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1104857, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.35-ab265082cac9486923c709d48ee5dde080e243ff.rb b/lib/one_gadget/builds/libc-2.35-ab265082cac9486923c709d48ee5dde080e243ff.rb index 5b0926f0..3880d136 100644 --- a/lib/one_gadget/builds/libc-2.35-ab265082cac9486923c709d48ee5dde080e243ff.rb +++ b/lib/one_gadget/builds/libc-2.35-ab265082cac9486923c709d48ee5dde080e243ff.rb @@ -14,28 +14,55 @@ # . build_id = File.basename(__FILE__, '.rb').split('-').last +OneGadget::Gadget.add(build_id, 307410, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rbp == NULL || (u16)[rbp] == NULL"], + effect: "posix_spawn(rsp+0xc, \"/bin/sh\", 0, rbp, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 307420, + constraints: ["writable: rsp+0x60", "{\"sh\", \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") OneGadget::Gadget.add(build_id, 307427, - constraints: ["rax == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x60", "rax == NULL || {rax, \"-c\", rbx, NULL} is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, rsp+0x50, environ)") +OneGadget::Gadget.add(build_id, 307432, + constraints: ["writable: rsp+0x60", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 307437, + constraints: ["writable: rsp+0x50", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 307449, - constraints: ["[r8] == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x58", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 489349, + constraints: ["writable: rsp+0x70", "{\"sh\", \"-c\", rbp, NULL} is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, 0, rsp+0x60, environ)") OneGadget::Gadget.add(build_id, 489356, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "r12 == NULL || (s32)[r12+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", r12, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 489359, + constraints: ["writable: rsp+0x70", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") OneGadget::Gadget.add(build_id, 489371, - constraints: ["[r8] == NULL", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rbx+0xe0 == NULL || writable: rbx+0xe0", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], effect: "posix_spawn(rbx+0xe0, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 489378, + constraints: ["writable: rsp+0x78", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 489399, + constraints: ["writable: rsp+0x68", "[r8] == NULL || r8 is a valid argv", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0", "rcx == NULL || (u16)[rcx] == NULL"], + effect: "posix_spawn(rdi, \"/bin/sh\", rdx, rcx, r8, environ)") +OneGadget::Gadget.add(build_id, 895287, + constraints: ["writable: rbp-0x38", "rdi == NULL || {\"/bin/sh\", rdi, NULL} is a valid argv", "[r13] == NULL || r13 == NULL || r13 is a valid envp"], + effect: "execve(\"/bin/sh\", rbp-0x40, r13)") OneGadget::Gadget.add(build_id, 1016778, - constraints: ["[rsp+0x70] == NULL", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])") OneGadget::Gadget.add(build_id, 1016786, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "[rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", [rsp+0x38], 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1016791, - constraints: ["[rsp+0x70] == NULL", "[r9] == NULL || r9 == NULL", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rsp+0x64, \"/bin/sh\", rdx, 0, rsp+0x70, r9)") OneGadget::Gadget.add(build_id, 1016801, - constraints: ["[r8] == NULL", "[r9] == NULL || r9 == NULL", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], + constraints: ["[r8] == NULL || r8 is a valid argv", "[r9] == NULL || r9 == NULL || r9 is a valid envp", "rdi == NULL || writable: rdi", "rdx == NULL || (s32)[rdx+0x4] <= 0"], effect: "posix_spawn(rdi, \"/bin/sh\", rdx, 0, r8, r9)") diff --git a/lib/one_gadget/builds/libc-2.35-c376d41cff4473142a97ac1ff1eab433859dc3d4.rb b/lib/one_gadget/builds/libc-2.35-c376d41cff4473142a97ac1ff1eab433859dc3d4.rb index c87de498..f05aa533 100644 --- a/lib/one_gadget/builds/libc-2.35-c376d41cff4473142a97ac1ff1eab433859dc3d4.rb +++ b/lib/one_gadget/builds/libc-2.35-c376d41cff4473142a97ac1ff1eab433859dc3d4.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 912899, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL || [ebp-0x30] is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x30], [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1517633, constraints: ["esi is the GOT address of libc", "eax == NULL"], diff --git a/lib/one_gadget/builds/libc-2.35-dfca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb b/lib/one_gadget/builds/libc-2.35-dfca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb index 51de680f..ef26a40f 100644 --- a/lib/one_gadget/builds/libc-2.35-dfca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb +++ b/lib/one_gadget/builds/libc-2.35-dfca8b65dd2d2ca67f70dc7a556a6cfa8ba96ed8.rb @@ -15,7 +15,7 @@ build_id = File.basename(__FILE__, '.rb').split('-').last OneGadget::Gadget.add(build_id, 907139, - constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL"], + constraints: ["ebx is the GOT address of libc", "writable: ebp-0x20", "[[ebp-0x30]] == NULL || [ebp-0x30] == NULL || [ebp-0x30] is a valid argv", "[[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid envp"], effect: "execve(\"/bin/sh\", [ebp-0x30], [ebp-0x2c])") OneGadget::Gadget.add(build_id, 1502977, constraints: ["esi is the GOT address of libc", "eax == NULL"],