hacktricks/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md

3.2 KiB

One Gadget

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

One Gadget allows to obtain a shell instead of using system and "/bin/sh". One Gadget will find inside the libc library some way to obtain a shell (execve("/bin/sh")) using just one address.
However, normally there are some constrains, the most common ones and easy to avoid are like [rsp+0x30] == NULL As you control the values inside the RSP you just have to send some more NULL values so the constrain is avoided.

ONE_GADGET = libc.address + 0x4526a
rop2 = base + p64(ONE_GADGET) + "\x00"*100

To the address indicated by One Gadget you need to add the base address where libc is loaded.

{% hint style="success" %} One Gadget is a great help for Arbitrary Write 2 Exec techniques and might simplifies ROP chains as you only need to call one address (and fulfill the requirements). {% endhint %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: