# 4.6 one-gadget RCE

one-gadget RCE 是在 libc 中存在的一些执行 `execve('/bin/sh', NULL, NULL)` 的片段。当我们知道 libc 的版本，并且可以通过信息泄露得到 libc 的基址，则可以通过控制 EIP 执行该 gadget 来获得 shell。这个方法的优点是不需要控制调用函数的参数，在 64 位程序中，也就是 rdi、rsi、rdx 等寄存器的值。

可以使用工具 [one\_gadget](https://github.com/david942j/one_gadget) 很方便地查找 one-gadget：

```
$ sudo gem install one_gadget
```

```
$ file /usr/lib/libc-2.26.so
/usr/lib/libc-2.26.so: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /usr/lib/ld-linux-x86-64.so.2, BuildID[sha1]=466056d0995495995ad1a1fe696c9dc7fb3d421b, for GNU/Linux 3.2.0, not stripped
$ one_gadget -f /usr/lib/libc-2.26.so
0x41e92 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x41ee7 execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xe2c20 execve("/bin/sh", rsp+0x60, environ)
constraints:
  [rsp+0x60] == NULL
```

经过验证，第一个似乎不可用，另外两个如下，通常，我们都使用 `do_system` 函数里的那个：

```
[0x00021080]> pd 7 @ 0x41ee7
|           0x00041ee7      488b056aff36.  mov rax, qword [0x003b1e58] ; [0x3b1e58:8]=0
|           0x00041eee      488d3d409313.  lea rdi, str._bin_sh        ; 0x17b235 ; "/bin/sh"
|           0x00041ef5      c70521253700.  mov dword [obj.lock_4], 0   ; [0x3b4420:4]=0
|           0x00041eff      c7051b253700.  mov dword [obj.sa_refcntr], 0 ; [0x3b4424:4]=0
|           0x00041f09      488d742430     lea rsi, [local_30h]        ; sym.lm_cache ; 0x30
|           0x00041f0e      488b10         mov rdx, qword [rax]
|           0x00041f11      67e8c9260800   call sym.execve
[0x00021080]> pd 5 @ 0xe2c20
|           0x000e2c20      488b0531f22c.  mov rax, qword [0x003b1e58] ; [0x3b1e58:8]=0
|           0x000e2c27      488d742460     lea rsi, [local_60h]        ; sym.buffer_14 ; 0x60 ; "0\x02"
|           0x000e2c2c      488d3d028609.  lea rdi, str._bin_sh        ; 0x17b235 ; "/bin/sh"
|           0x000e2c33      488b10         mov rdx, qword [rax]
|           0x000e2c36      67e8a419feff   call sym.execve
```

当然，你也可以通过 build ID 来查找对应 libc 里的 one-gadget。

```
$ one-gadget -b 466056d0995495995ad1a1fe696c9dc7fb3d421b
```

## 参考资料

* [Pwning (sometimes) with style](http://j00ru.vexillium.org/blog/24_03_15/dragons_ctf.pdf)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://firmianay.gitbook.io/ctf-all-in-one/4_tips/4.6_one-gadget_rce.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.