Check for satisfied one gadget constraints using the state of a running gdb instance
Required to have the one_gadget tool installed and in your path, it is called via subprocess to gather the gadgets/constraints
Installs pwn_gadget package for use in pwntools scripts and as a gdb command
git clone https://github.com/zolutal/pwn_gadget && \
pip install pwn_gadget/ && \
cp pwn_gadget/pwn_gadget.py ~/.pwn_gadget.py && echo "source ~/.pwn_gadget.py" >> ~/.gdbinit
Installs pwn_gadget package for use in pwntools scripts, will not setup gdb command (also may be somewhat outdated)
pip install pwn-gadget
pwn_gadget parses the constraints generated by one_gadget in python into a format that can be evaluated by a gdb print command.
Leveraging the gdb python api, accessed by a gdb plugin or through pwntools' gdb module, it executes those commands parsed from the one_gadget constraints.
Performs all of the boolean operations in the one_gadget constraints on the results from the commands run in gdb.
Searches for a gadget where every boolean operation returned True, returning either that offset or None.
Regardless of if a satisfiable gadget is found or not, color coded information on the succeeding and failing constraints for each gadget will be printed.
(gdb) pwn_gadget ./libc.so.6
from pwn import *
import pwn_gadget
p = process("chal")
libc = p.libc
# attach and break at the target address
_, gdb_api = gdb.attach(p, gdbscript="b *(vuln+180)", api=True)
# call pwn_gadget function to look for satisfied gadgets
gadget = pwn_gadget.find_gadget(gdb_api, libc.path)
# use found address in payload
payload = b"A"*32 + p64(gadget+libc.address)
p.sendline(payload)
p.interactive()
