One-gadget is an useful gadget in glibc, which leads to call execve(‘/bin/sh’, NULL, NULL). It’s convenient to use it to get RCE (remote code execution) whenever we can only control ip (i.e. the program counter). For example, sometimes the vulnerability only leads to an arbitrary function call without controlling the first argument, which forbids us to call system(“sh”). But one-gadgets can do the magic in this situation. I used to use IDA-pro to find these gadgets every time, even I found it before. So I decided to stop doing such routine and develop an easy-to-use tool for it.
one_gadget v1.5.0
Dependencies:
+ ruby version >= 2.1.0
Usage:
git clone https://github.com/david942j/one_gadget && cd one_gadget gem install bundle or gem install one_gadget cd bin ./one_gadget -h ./one_gadget /lib/x86_64-linux-gnu/libc.so.6 --level 1
Source: https://github.com/david942j