Skip to content

One Gadget

[AD REMOVED]

Basic Information

One Gadget allows to obtain a shell instead of using system and "/bin/sh". One Gadget will find inside the libc library some way to obtain a shell (execve("/bin/sh")) using just one address.\ However, normally there are some constrains, the most common ones and easy to avoid are like [rsp+0x30] == NULL As you control the values inside the RSP you just have to send some more NULL values so the constrain is avoided.

ONE_GADGET = libc.address + 0x4526a
rop2 = base + p64(ONE_GADGET) + "\x00"*100

To the address indicated by One Gadget you need to add the base address where libc is loaded.

[!TIP] One Gadget is a great help for Arbitrary Write 2 Exec techniques and might simplify ROP chains as you only need to call one address (and fulfill the requirements).

[AD REMOVED]

All content on this page is from HackTricks, which belongs to Carlos Polop and is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license unless otherwise specified. This page is generated from the HackTricks wiki and just has the ads removed.