Skip to content

One Gadget โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information โ€‹

One Gadget allows to obtain a shell instead of using system and "/bin/sh". One Gadget will find inside the libc library some way to obtain a shell (execve("/bin/sh")) using just one address.
However, normally there are some constrains, the most common ones and easy to avoid are like [rsp+0x30] == NULL As you control the values inside the RSP you just have to send some more NULL values so the constrain is avoided.

python
ONE_GADGET = libc.address + 0x4526a
rop2 = base + p64(ONE_GADGET) + "\x00"*100

To the address indicated by One Gadget you need to add the base address where libc is loaded.

โœ…

One Gadget is a great help for Arbitrary Write 2 Exec techniques and might simplify ROP chains as you only need to call one address (and fulfil the requirements).

ARM64 โ€‹

The github repo mentions that ARM64 is supported by the tool, but when running it in the libc of a Kali 2023.3 it doesn't find any gadget.

Angry Gadget โ€‹

From the github repo: Inspired by OneGadget this tool is written in python and uses angr to test constraints for gadgets executing execve('/bin/sh', NULL, NULL)
If you've run out gadgets to try from OneGadget, Angry Gadget gives a lot more with complicated constraints to try!

bash
pip install angry_gadget

angry_gadget.py examples/libc6_2.23-0ubuntu10_amd64.so
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: