https://github.com/zolutal/pwn_gadget
Check for satisfied one gadget constraints using the state of a running gdb instance
https://github.com/zolutal/pwn_gadget
ctf gdb-plugin one-gadget-rce pwn pwntools
Last synced: 3 months ago
JSON representation
Check for satisfied one gadget constraints using the state of a running gdb instance
- Host: GitHub
- URL: https://github.com/zolutal/pwn_gadget
- Owner: zolutal
- Created: 2022-09-02T22:34:02.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2024-02-06T06:03:28.000Z (over 2 years ago)
- Last Synced: 2025-09-14T21:58:12.680Z (10 months ago)
- Topics: ctf, gdb-plugin, one-gadget-rce, pwn, pwntools
- Language: Python
- Homepage:
- Size: 114 KB
- Stars: 9
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# pwn_gadget
Check for satisfied one gadget constraints using the state of a running gdb instance
# Installation
*Required* to have the [one_gadget](https://github.com/david942j/one_gadget) tool installed and in your path, it is called via subprocess to gather the gadgets/constraints
## Manual Install
Installs pwn_gadget package for use in pwntools scripts and as a gdb command
```
git clone https://github.com/zolutal/pwn_gadget && \
pip install pwn_gadget/ && \
cp pwn_gadget/pwn_gadget.py ~/.pwn_gadget.py && echo "source ~/.pwn_gadget.py" >> ~/.gdbinit
```
## Installation from PyPi
Installs pwn_gadget package for use in pwntools scripts, will not setup gdb command
(also may be somewhat outdated)
```
pip install pwn-gadget
```
# How does this work?
pwn_gadget parses the constraints generated by [one_gadget](https://github.com/david942j/one_gadget) in python into a format that can be evaluated by a gdb `print` command.
Leveraging the gdb python api, accessed by a gdb plugin or through pwntools' gdb module, it executes those commands parsed from the one_gadget constraints.
Performs all of the boolean operations in the one_gadget constraints on the results from the commands run in gdb.
Searches for a gadget where every boolean operation returned True, returning either that offset or None.
Regardless of if a satisfiable gadget is found or not, color coded information on the succeeding and failing constraints for each gadget will be printed.
# Usage
## As a gdb plugin
```
(gdb) pwn_gadget ./libc.so.6
```
## In a pwntools script
```python
from pwn import *
import pwn_gadget
p = process("chal")
libc = p.libc
# attach and break at the target address
_, gdb_api = gdb.attach(p, gdbscript="b *(vuln+180)", api=True)
# call pwn_gadget function to look for satisfied gadgets
gadget = pwn_gadget.find_gadget(gdb_api, libc.path)
# use found address in payload
payload = b"A"*32 + p64(gadget+libc.address)
p.sendline(payload)
p.interactive()
```
# Example Output
## Success

## Failure
