3.2 KiB
One Gadget
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
One Gadget allows to obtain a shell instead of using system and "/bin/sh". One Gadget will find inside the libc library some way to obtain a shell (execve("/bin/sh")
) using just one address.
However, normally there are some constrains, the most common ones and easy to avoid are like [rsp+0x30] == NULL
As you control the values inside the RSP you just have to send some more NULL values so the constrain is avoided.
ONE_GADGET = libc.address + 0x4526a
rop2 = base + p64(ONE_GADGET) + "\x00"*100
To the address indicated by One Gadget you need to add the base address where libc
is loaded.
{% hint style="success" %} One Gadget is a great help for Arbitrary Write 2 Exec techniques and might simplifies ROP chains as you only need to call one address (and fulfill the requirements). {% endhint %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.