https://github.com/christhecoolhut/angry_gadget

A tool for finding the one gadget RCE in libc
https://github.com/christhecoolhut/angry_gadget

angr ctf libc one-gadget-rce pwn

Last synced: 13 days ago
JSON representation

A tool for finding the one gadget RCE in libc

• Host: GitHub
• URL: https://github.com/christhecoolhut/angry_gadget
• Owner: ChrisTheCoolHut
• Created: 2020-05-30T02:56:00.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2020-05-30T03:38:29.000Z (almost 5 years ago)
• Last Synced: 2025-04-15T06:14:34.919Z (13 days ago)
• Topics: angr, ctf, libc, one-gadget-rce, pwn
• Language: Python
• Homepage:
• Size: 759 KB
• Stars: 76
• Watchers: 6
• Forks: 8
• Open Issues: 1
• Metadata Files:
  • Readme: readme.md

Awesome Lists containing this project

README

        
# Angry Gadget

Locating OneGadgets in libc.

Inspired by [OneGadget](https://github.com/david942j/one_gadget) this tool is written in python and uses [angr](https://github.com/angr/angr) to test constraints for gadgets executing `execve('/bin/sh', NULL, NULL)`

If you've run out gadgets to try from OneGadget, Angry Gadget gives a lot more with complicated constraints to try!

# Installation

```

pip install angry_gadget

```

or

```

git clone https://github.com/ChrisTheCoolHut/angry_gadget.git

cd angry_gadget

pip install -e .

```

# Usage

The python script accepts one positional argument.

```

$ angry_gadget.py -h

usage: angry_gadget.py [-h] binary

positional arguments:

  binary

optional arguments:

  -h, --help  show this help message and exit

```

# Example 

```

$ angry_gadget.py examples/libc6_2.23-0ubuntu10_amd64.so 

Building CFG, this will take a moment

100% |###############################################################################################| Elapsed Time: 0:03:08 Time:  0:03:08

Iterating over XREFs looking for gadget

100%|#######################################################################################################| 14/14 [00:01<00:00,  8.39it/s]

Trying 0x4f0fe9: 100%|######################################################################################| 16/16 [02:03<00:00,  7.75s/it]

libc_base + 0xf6661 :

	

	

	

	

	

	

libc_base + 0xf6669 :

	

	

	

	

	

	

 ----- SNIP ------

libc_base + 0xf115d :

	

	

	

libc_base + 0x6f5bb :

	

libc_base + 0x6f5be :

	

libc_base + 0x6f5c1 :

	

libc_base + 0x6f5c3 :

	

libc_base + 0x4526a :

libc_base + 0xf02a4 :

libc_base + 0xf1147 :

```

# Notes

 * It's slower than OneGadget, so you should probably still use that.

 * It's only 64bit, if there is interest, I can expand it to 32bit.