[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-8001":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":15,"stars30d":17,"stars90d":16,"forks30d":16,"starsTrendScore":15,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":20,"hasPages":20,"topics":22,"createdAt":10,"pushedAt":10,"updatedAt":32,"readmeContent":33,"aiSummary":34,"trendingCount":16,"starSnapshotCount":16,"syncStatus":15,"lastSyncTime":35,"discoverSource":36},8001,"one_gadget","david942j\u002Fone_gadget","david942j","The best tool for finding one gadget RCE in libc.so.6","",null,"Ruby",2326,149,22,2,0,8,28.53,"MIT License",false,"master",[23,24,25,26,27,28,29,30,31],"ctf","exploit","gadget","glibc","libc","one-gadget-rce","pwn","pwnable","shell","2026-06-12 02:01:47","[![Downloads](https:\u002F\u002Fimg.shields.io\u002Fendpoint?url=https:\u002F\u002Fgem-badge-h3lg.onrender.com\u002Fdownloads\u002Fone_gadget)](https:\u002F\u002Frubygems.org\u002Fgems\u002Fone_gadget)\n\n\n[![Gem Version](https:\u002F\u002Fbadge.fury.io\u002Frb\u002Fone_gadget.svg)](https:\u002F\u002Fbadge.fury.io\u002Frb\u002Fone_gadget)\n[![Build Status](https:\u002F\u002Fgithub.com\u002Fdavid942j\u002Fone_gadget\u002Fworkflows\u002Fbuild\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fdavid942j\u002Fone_gadget\u002Factions)\n[![Maintainability](https:\u002F\u002Fqlty.sh\u002Fgh\u002Fdavid942j\u002Fprojects\u002Fone_gadget\u002Fmaintainability.svg)](https:\u002F\u002Fqlty.sh\u002Fgh\u002Fdavid942j\u002Fprojects\u002Fone_gadget)\n[![Code Coverage](https:\u002F\u002Fqlty.sh\u002Fgh\u002Fdavid942j\u002Fprojects\u002Fone_gadget\u002Fcoverage.svg)](https:\u002F\u002Fqlty.sh\u002Fgh\u002Fdavid942j\u002Fprojects\u002Fone_gadget)\n[![Inline docs](https:\u002F\u002Finch-ci.org\u002Fgithub\u002Fdavid942j\u002Fone_gadget.svg?branch=master)](https:\u002F\u002Finch-ci.org\u002Fgithub\u002Fdavid942j\u002Fone_gadget)\n[![Yard Docs](http:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fyard-docs-blue.svg)](https:\u002F\u002Fwww.rubydoc.info\u002Fgithub\u002Fdavid942j\u002Fone_gadget\u002F)\n[![MIT License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-MIT-blue.svg)](http:\u002F\u002Fchoosealicense.com\u002Flicenses\u002Fmit\u002F)\n\n## OneGadget\n\nWhen playing ctf pwn challenges we usually need the one-gadget RCE (remote code execution),\nwhich leads to call `execve('\u002Fbin\u002Fsh', NULL, NULL)`.\n\nThis gem provides such gadgets finder, no need to use objdump or IDA-pro every time like a fool :wink:\n\nTo use this tool, type `one_gadget \u002Fpath\u002Fto\u002Flibc` in command line and enjoy the magic :laughing:\n\n## Installation\n\nAvailable on RubyGems.org!\n```bash\n$ gem install one_gadget\n```\n\nNote: requires ruby version >= 2.1.0, you can use `ruby --version` to check.\n\n## Supported Architectures\n\n- [x] i386\n- [x] amd64 (x86-64)\n- [x] aarch64 (ARMv8)\n\n## Implementation\n\nOneGadget uses symbolic execution to find the constraints of gadgets to be successful.\n\nThe article introducing how I develop this tool can be found [on my blog](https:\u002F\u002Fdavid942j.blogspot.com\u002F2017\u002F02\u002Fproject-one-gadget-in-glibc.html).\n\n## Usage\n\n### Command Line Interface\n\n```bash\n$ one_gadget\n# Usage: one_gadget \u003CFILE|-b BuildID> [options]\n#     -b, --build-id BuildID           BuildID[sha1] of libc.\n#     -f, --[no-]force-file            Force search gadgets in file instead of build id first.\n#     -l, --level OUTPUT_LEVEL         The output level.\n#                                      OneGadget automatically selects gadgets with higher successful probability.\n#                                      Increase this level to ask OneGadget show more gadgets it found.\n#                                      Default: 0\n#     -n, --near FUNCTIONS\u002FFILE        Order gadgets by their distance to the given functions or to the GOT functions of the given file.\n#     -o, --output-format FORMAT       Output format. FORMAT should be one of \u003Cpretty|raw|json>.\n#                                      Default: pretty\n#     -r, --raw                        Alias of -o raw. Output gadgets offset only, split with one space.\n#     -s, --script exploit-script      Run exploit script with all possible gadgets.\n#                                      The script will be run as 'exploit-script $offset'.\n#         --info BuildID               Show version information given BuildID.\n#         --base BASE_ADDRESS          The base address of libc.\n#                                      Default: 0\n#         --version                    Current gem version.\n\n```\n\n```bash\n$ one_gadget \u002Flib\u002Fx86_64-linux-gnu\u002Flibc.so.6\n# 0xe3afe execve(\"\u002Fbin\u002Fsh\", r15, r12)\n# constraints:\n#   [r15] == NULL || r15 == NULL || r15 is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3b01 execve(\"\u002Fbin\u002Fsh\", r15, rdx)\n# constraints:\n#   [r15] == NULL || r15 == NULL || r15 is a valid argv\n#   [rdx] == NULL || rdx == NULL || rdx is a valid envp\n#\n# 0xe3b04 execve(\"\u002Fbin\u002Fsh\", rsi, rdx)\n# constraints:\n#   [rsi] == NULL || rsi == NULL || rsi is a valid argv\n#   [rdx] == NULL || rdx == NULL || rdx is a valid envp\n\n```\n![x86_64](https:\u002F\u002Fgithub.com\u002Fdavid942j\u002Fone_gadget\u002Fblob\u002Fmaster\u002Fexamples\u002Fx86_64.png?raw=true)\n\n#### Given BuildID\n```bash\n$ one_gadget -b aad7dbe330f23ea00ca63daf793b766b51aceb5d\n# 0x4557a execve(\"\u002Fbin\u002Fsh\", rsp+0x30, environ)\n# constraints:\n#   [rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv\n#\n# 0xf1651 execve(\"\u002Fbin\u002Fsh\", rsp+0x40, environ)\n# constraints:\n#   [rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv\n#\n# 0xf24cb execve(\"\u002Fbin\u002Fsh\", rsp+0x60, environ)\n# constraints:\n#   [rsp+0x60] == NULL || {[rsp+0x60], [rsp+0x68], [rsp+0x70], [rsp+0x78], ...} is a valid argv\n\n```\n![build id](https:\u002F\u002Fgithub.com\u002Fdavid942j\u002Fone_gadget\u002Fblob\u002Fmaster\u002Fexamples\u002Ffrom_build_id.png?raw=true)\n\n#### Gadgets Near Functions\n\n##### Why\n\nConsider this scenario when exploiting:\n1. Able to write on GOT (Global Offset Table)\n2. Base address of libc is *unknown*\n\nIn this scenario you can choose to write two low-byte on a GOT entry with one-gadget's two low-byte.\nIf the function offset on GOT is close enough with the one-gadget,\nyou will have at least 1\u002F16 chance of success.\n\n##### Usage\n\nReorder gadgets according to the distance of given functions.\n\n```bash\n$ one_gadget \u002Flib\u002Fx86_64-linux-gnu\u002Flibc.so.6 --near exit,mkdir\n# [OneGadget] Gadgets near exit(0x46a40):\n# 0xe3afe execve(\"\u002Fbin\u002Fsh\", r15, r12)\n# constraints:\n#   [r15] == NULL || r15 == NULL || r15 is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3b01 execve(\"\u002Fbin\u002Fsh\", r15, rdx)\n# constraints:\n#   [r15] == NULL || r15 == NULL || r15 is a valid argv\n#   [rdx] == NULL || rdx == NULL || rdx is a valid envp\n#\n# 0xe3b04 execve(\"\u002Fbin\u002Fsh\", rsi, rdx)\n# constraints:\n#   [rsi] == NULL || rsi == NULL || rsi is a valid argv\n#   [rdx] == NULL || rdx == NULL || rdx is a valid envp\n#\n# [OneGadget] Gadgets near mkdir(0x10de70):\n# 0xe3b04 execve(\"\u002Fbin\u002Fsh\", rsi, rdx)\n# constraints:\n#   [rsi] == NULL || rsi == NULL || rsi is a valid argv\n#   [rdx] == NULL || rdx == NULL || rdx is a valid envp\n#\n# 0xe3b01 execve(\"\u002Fbin\u002Fsh\", r15, rdx)\n# constraints:\n#   [r15] == NULL || r15 == NULL || r15 is a valid argv\n#   [rdx] == NULL || rdx == NULL || rdx is a valid envp\n#\n# 0xe3afe execve(\"\u002Fbin\u002Fsh\", r15, r12)\n# constraints:\n#   [r15] == NULL || r15 == NULL || r15 is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n\n```\n![near](https:\u002F\u002Fgithub.com\u002Fdavid942j\u002Fone_gadget\u002Fblob\u002Fmaster\u002Fexamples\u002Fnear.png?raw=true)\n\nRegular expression is acceptable.\n```bash\n$ one_gadget \u002Flib\u002Fx86_64-linux-gnu\u002Flibc.so.6 --near 'write.*' --raw\n# [OneGadget] Gadgets near writev(0x114690):\n# 932612 932609 932606\n#\n# [OneGadget] Gadgets near write(0x10e280):\n# 932612 932609 932606\n#\n\n```\n\nPass an ELF file as the argument, OneGadget will take all GOT functions for processing.\n```bash\n$ one_gadget \u002Flib\u002Fx86_64-linux-gnu\u002Flibc.so.6 --near spec\u002Fdata\u002Ftest_near_file.elf --raw\n# [OneGadget] Gadgets near exit(0x46a40):\n# 932606 932609 932612\n#\n# [OneGadget] Gadgets near puts(0x84420):\n# 932606 932609 932612\n#\n# [OneGadget] Gadgets near printf(0x61c90):\n# 932606 932609 932612\n#\n# [OneGadget] Gadgets near strlen(0x9f630):\n# 932606 932609 932612\n#\n# [OneGadget] Gadgets near __cxa_finalize(0x46f10):\n# 932606 932609 932612\n#\n# [OneGadget] Gadgets near __libc_start_main(0x23f90):\n# 932606 932609 932612\n#\n\n```\n\n#### Show All Gadgets\n\nSometimes `one_gadget` finds too many gadgets to show them in one screen,\nby default gadgets would be filtered automatically *according to the difficulty of constraints*.\n\nUse option `--level 1` to show all gadgets found instead of only those with higher probabilities.\n\n```bash\n$ one_gadget \u002Flib\u002Fx86_64-linux-gnu\u002Flibc.so.6 --level 1\n# 0x51dfb posix_spawn(rsp+0xc, \"\u002Fbin\u002Fsh\", 0, rbp, rsp+0x50, environ)\n# constraints:\n#   address rsp+0x60 is writable\n#   rsp & 0xf == 0\n#   {\"sh\", \"-c\", rbx, NULL} is a valid argv\n#   rbp == NULL || (u16)[rbp] == NULL\n#\n# 0x51e02 posix_spawn(rsp+0xc, \"\u002Fbin\u002Fsh\", 0, rbp, rsp+0x50, environ)\n# constraints:\n#   address rsp+0x60 is writable\n#   rsp & 0xf == 0\n#   rax == NULL || {\"sh\", rax, rbx, NULL} is a valid argv\n#   rbp == NULL || (u16)[rbp] == NULL\n#\n# 0x51e09 posix_spawn(rsp+0xc, \"\u002Fbin\u002Fsh\", 0, rbp, rsp+0x50, environ)\n# constraints:\n#   address rsp+0x60 is writable\n#   rsp & 0xf == 0\n#   rcx == NULL || {rcx, rax, rbx, NULL} is a valid argv\n#   rbp == NULL || (u16)[rbp] == NULL\n#\n# 0x51e10 posix_spawn(rsp+0xc, \"\u002Fbin\u002Fsh\", rdx, rbp, rsp+0x50, environ)\n# constraints:\n#   address rsp+0x60 is writable\n#   rsp & 0xf == 0\n#   rcx == NULL || {rcx, (u64)xmm1, rbx, NULL} is a valid argv\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#   rbp == NULL || (u16)[rbp] == NULL\n#\n# 0x51e15 posix_spawn(rsp+0xc, \"\u002Fbin\u002Fsh\", rdx, rbp, rsp+0x50, environ)\n# constraints:\n#   address rsp+0x60 is writable\n#   rsp & 0xf == 0\n#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, rbx, NULL} is a valid argv\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#   rbp == NULL || (u16)[rbp] == NULL\n#\n# 0x51e25 posix_spawn(rdi, \"\u002Fbin\u002Fsh\", rdx, rbp, rsp+0x50, [rax])\n# constraints:\n#   address rsp+0x60 is writable\n#   rsp & 0xf == 0\n#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), rbx, NULL} is a valid argv\n#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp\n#   rdi == NULL || writable: rdi\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#   rbp == NULL || (u16)[rbp] == NULL\n#\n# 0x51e2a posix_spawn(rdi, \"\u002Fbin\u002Fsh\", rdx, rbp, r8, [rax])\n# constraints:\n#   address rsp+0x60 is writable\n#   rsp & 0xf == 0\n#   [r8] == NULL || r8 is a valid argv\n#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp\n#   rdi == NULL || writable: rdi\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#   rbp == NULL || (u16)[rbp] == NULL\n#\n# 0x51e2d posix_spawn(rdi, \"\u002Fbin\u002Fsh\", rdx, rcx, r8, [rax])\n# constraints:\n#   address rsp+0x60 is writable\n#   rsp & 0xf == 0\n#   [r8] == NULL || r8 is a valid argv\n#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp\n#   rdi == NULL || writable: rdi\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#   rcx == NULL || (u16)[rcx] == NULL\n#\n# 0x51e32 posix_spawn(rdi, \"\u002Fbin\u002Fsh\", rdx, rcx, r8, [rax])\n# constraints:\n#   address rsp+0x68 is writable\n#   rsp & 0xf == 0\n#   [r8] == NULL || r8 is a valid argv\n#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp\n#   rdi == NULL || writable: rdi\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#   rcx == NULL || (u16)[rcx] == NULL\n#\n# 0x84135 posix_spawn(rbx+0xe0, \"\u002Fbin\u002Fsh\", r12, 0, rsp+0x60, environ)\n# constraints:\n#   address rsp+0x70 is writable\n#   rsp & 0xf == 0\n#   {\"sh\", \"-c\", rbp, NULL} is a valid argv\n#   rbx+0xe0 == NULL || writable: rbx+0xe0\n#   r12 == NULL || (s32)[r12+0x4] \u003C= 0\n#\n# 0x8413c posix_spawn(rbx+0xe0, \"\u002Fbin\u002Fsh\", r12, 0, rsp+0x60, environ)\n# constraints:\n#   address rsp+0x70 is writable\n#   rsp & 0xf == 0\n#   rax == NULL || {\"sh\", rax, rbp, NULL} is a valid argv\n#   rbx+0xe0 == NULL || writable: rbx+0xe0\n#   r12 == NULL || (s32)[r12+0x4] \u003C= 0\n#\n# 0x84143 posix_spawn(rbx+0xe0, \"\u002Fbin\u002Fsh\", r12, 0, rsp+0x60, environ)\n# constraints:\n#   address rsp+0x70 is writable\n#   rsp & 0xf == 0\n#   rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv\n#   rbx+0xe0 == NULL || writable: rbx+0xe0\n#   r12 == NULL || (s32)[r12+0x4] \u003C= 0\n#\n# 0x84146 posix_spawn(rbx+0xe0, \"\u002Fbin\u002Fsh\", rdx, 0, rsp+0x60, environ)\n# constraints:\n#   address rsp+0x70 is writable\n#   rsp & 0xf == 0\n#   rcx == NULL || {rcx, rax, rbp, NULL} is a valid argv\n#   rbx+0xe0 == NULL || writable: rbx+0xe0\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#\n# 0x8414b posix_spawn(rbx+0xe0, \"\u002Fbin\u002Fsh\", rdx, 0, rsp+0x60, environ)\n# constraints:\n#   address rsp+0x78 is writable\n#   rsp & 0xf == 0\n#   rcx == NULL || {rcx, rax, [rsp+0x70], NULL} is a valid argv\n#   rbx+0xe0 == NULL || writable: rbx+0xe0\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#\n# 0x84150 posix_spawn(rbx+0xe0, \"\u002Fbin\u002Fsh\", rdx, 0, rsp+0x60, environ)\n# constraints:\n#   address rsp+0x78 is writable\n#   rsp & 0xf == 0\n#   rcx == NULL || {rcx, (u64)xmm1, [rsp+0x70], NULL} is a valid argv\n#   rbx+0xe0 == NULL || writable: rbx+0xe0\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#\n# 0x8415c posix_spawn(rbx+0xe0, \"\u002Fbin\u002Fsh\", rdx, 0, rsp+0x60, [rax])\n# constraints:\n#   address rsp+0x78 is writable\n#   rsp & 0xf == 0\n#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)xmm1, [rsp+0x70], NULL} is a valid argv\n#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp\n#   rbx+0xe0 == NULL || writable: rbx+0xe0\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#\n# 0x84162 posix_spawn(rbx+0xe0, \"\u002Fbin\u002Fsh\", rdx, rcx, rsp+0x60, [rax])\n# constraints:\n#   address rsp+0x78 is writable\n#   rsp & 0xf == 0\n#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv\n#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp\n#   rbx+0xe0 == NULL || writable: rbx+0xe0\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#   rcx == NULL || (u16)[rcx] == NULL\n#\n# 0x84169 posix_spawn(rdi, \"\u002Fbin\u002Fsh\", rdx, rcx, rsp+0x60, [rax])\n# constraints:\n#   address rsp+0x78 is writable\n#   rsp & 0xf == 0\n#   (u64)xmm0 == NULL || {(u64)xmm0, (u64)(xmm0 >> 64), [rsp+0x70], NULL} is a valid argv\n#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp\n#   rdi == NULL || writable: rdi\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#   rcx == NULL || (u16)[rcx] == NULL\n#\n# 0x84170 posix_spawn(rdi, \"\u002Fbin\u002Fsh\", rdx, rcx, r8, [rax])\n# constraints:\n#   address rsp+0x78 is writable\n#   rsp & 0xf == 0\n#   [r8] == NULL || r8 is a valid argv\n#   [[rax]] == NULL || [rax] == NULL || [rax] is a valid envp\n#   rdi == NULL || writable: rdi\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#   rcx == NULL || (u16)[rcx] == NULL\n#\n# 0xe3afe execve(\"\u002Fbin\u002Fsh\", r15, r12)\n# constraints:\n#   [r15] == NULL || r15 == NULL || r15 is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3b01 execve(\"\u002Fbin\u002Fsh\", r15, rdx)\n# constraints:\n#   [r15] == NULL || r15 == NULL || r15 is a valid argv\n#   [rdx] == NULL || rdx == NULL || rdx is a valid envp\n#\n# 0xe3b04 execve(\"\u002Fbin\u002Fsh\", rsi, rdx)\n# constraints:\n#   [rsi] == NULL || rsi == NULL || rsi is a valid argv\n#   [rdx] == NULL || rdx == NULL || rdx is a valid envp\n#\n# 0xe3cf3 execve(\"\u002Fbin\u002Fsh\", r10, r12)\n# constraints:\n#   address rbp-0x78 is writable\n#   [r10] == NULL || r10 == NULL || r10 is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3cf6 execve(\"\u002Fbin\u002Fsh\", r10, rdx)\n# constraints:\n#   address rbp-0x78 is writable\n#   [r10] == NULL || r10 == NULL || r10 is a valid argv\n#   [rdx] == NULL || rdx == NULL || rdx is a valid envp\n#\n# 0xe3d62 execve(\"\u002Fbin\u002Fsh\", rbp-0x50, r12)\n# constraints:\n#   address rbp-0x48 is writable\n#   r13 == NULL || {\"\u002Fbin\u002Fsh\", r13, NULL} is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3d69 execve(\"\u002Fbin\u002Fsh\", rbp-0x50, r12)\n# constraints:\n#   address rbp-0x48 is writable\n#   rax == NULL || {rax, r13, NULL} is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3d70 execve(\"\u002Fbin\u002Fsh\", rbp-0x50, r12)\n# constraints:\n#   address rbp-0x50 is writable\n#   rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3da7 execve(\"\u002Fbin\u002Fsh\", rbp-0x50, r12)\n# constraints:\n#   address rbp-0x50 is writable\n#   [rbp-0x68] == NULL || {\"\u002Fbin\u002Fsh\", [rbp-0x68], NULL} is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3db1 execve(\"\u002Fbin\u002Fsh\", rbp-0x50, r12)\n# constraints:\n#   address rbp-0x50 is writable\n#   rax == NULL || {rax, [rbp-0x68], NULL} is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3db5 execve(\"\u002Fbin\u002Fsh\", r10, r12)\n# constraints:\n#   addresses r10+0x10, rbp-0x50 are writable\n#   [r10] == NULL || r10 == NULL || r10 is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0xe3dbd execve(\"\u002Fbin\u002Fsh\", r10, r12)\n# constraints:\n#   addresses r10+0x10, rbp-0x48 are writable\n#   [r10] == NULL || r10 == NULL || r10 is a valid argv\n#   [r12] == NULL || r12 == NULL || r12 is a valid envp\n#\n# 0x1077ca posix_spawn(rsp+0x64, \"\u002Fbin\u002Fsh\", [rsp+0x38], 0, rsp+0x70, [rsp+0xf0])\n# constraints:\n#   [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv\n#   [[rsp+0xf0]] == NULL || [rsp+0xf0] == NULL || [rsp+0xf0] is a valid envp\n#   [rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] \u003C= 0\n#\n# 0x1077d2 posix_spawn(rsp+0x64, \"\u002Fbin\u002Fsh\", [rsp+0x38], 0, rsp+0x70, r9)\n# constraints:\n#   [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv\n#   [r9] == NULL || r9 == NULL || r9 is a valid envp\n#   [rsp+0x38] == NULL || (s32)[[rsp+0x38]+0x4] \u003C= 0\n#\n# 0x1077d7 posix_spawn(rsp+0x64, \"\u002Fbin\u002Fsh\", rdx, 0, rsp+0x70, r9)\n# constraints:\n#   [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv\n#   [r9] == NULL || r9 == NULL || r9 is a valid envp\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n#\n# 0x1077e1 posix_spawn(rdi, \"\u002Fbin\u002Fsh\", rdx, 0, r8, r9)\n# constraints:\n#   [r8] == NULL || r8 is a valid argv\n#   [r9] == NULL || r9 == NULL || r9 is a valid envp\n#   rdi == NULL || writable: rdi\n#   rdx == NULL || (s32)[rdx+0x4] \u003C= 0\n\n```\n\n#### Other Architectures\n\n##### i386\n```bash\n$ one_gadget \u002Flib32\u002Flibc.so.6\n# 0xc890b execve(\"\u002Fbin\u002Fsh\", [ebp-0x2c], esi)\n# constraints:\n#   address ebp-0x20 is writable\n#   ebx is the GOT address of libc\n#   [[ebp-0x2c]] == NULL || [ebp-0x2c] == NULL || [ebp-0x2c] is a valid argv\n#   [esi] == NULL || esi == NULL || esi is a valid envp\n#\n# 0x1421b3 execl(\"\u002Fbin\u002Fsh\", eax)\n# constraints:\n#   ebp is the GOT address of libc\n#   eax == NULL\n#\n# 0x1421b4 execl(\"\u002Fbin\u002Fsh\", [esp])\n# constraints:\n#   ebp is the GOT address of libc\n#   [esp] == NULL\n\n```\n![i386](https:\u002F\u002Fgithub.com\u002Fdavid942j\u002Fone_gadget\u002Fblob\u002Fmaster\u002Fexamples\u002Fi386.png?raw=true)\n\n##### AArch64\n```bash\n$ one_gadget spec\u002Fdata\u002Faarch64-libc-2.27.so\n# 0x3f160 execve(\"\u002Fbin\u002Fsh\", sp+0x70, environ)\n# constraints:\n#   address x20+0x338 is writable\n#   x3 == NULL\n#\n# 0x3f184 execve(\"\u002Fbin\u002Fsh\", sp+0x70, environ)\n# constraints:\n#   addresses x19+0x4, x20+0x338 are writable\n#   [sp+0x70] == NULL\n#\n# 0x3f1a8 execve(\"\u002Fbin\u002Fsh\", x21, environ)\n# constraints:\n#   addresses x19+0x4, x20+0x338 are writable\n#   [x21] == NULL || x21 == NULL\n#\n# 0x63e90 execl(\"\u002Fbin\u002Fsh\", x1)\n# constraints:\n#   x1 == NULL\n\n```\n![aarch64](https:\u002F\u002Fgithub.com\u002Fdavid942j\u002Fone_gadget\u002Fblob\u002Fmaster\u002Fexamples\u002Faarch64.png?raw=true)\n\n#### Combine with Script\nPass your exploit script as `one_gadget`'s arguments, it can\ntry all gadgets one by one, so you don't need to try every possible gadgets manually.\n\n```bash\n$ one_gadget .\u002Fspec\u002Fdata\u002Flibc-2.19.so -s 'echo \"offset ->\"'\n```\n\n![--script](https:\u002F\u002Fgithub.com\u002Fdavid942j\u002Fone_gadget\u002Fblob\u002Fmaster\u002Fexamples\u002Fscript.png?raw=true)\n\n### In Ruby Scripts\n```ruby\nrequire 'one_gadget'\nOneGadget.gadgets(file: '\u002Flib\u002Fx86_64-linux-gnu\u002Flibc.so.6')\n#=> [932606, 932609, 932612]\n\n# or in shorter way\none_gadget('\u002Flib\u002Fx86_64-linux-gnu\u002Flibc.so.6', level: 1)\n#=> [335355, 335362, 335369, 335376, 335381, 335397, 335402, 335405, 335410, 540981, 540988, 540995, 540998, 541003, 541008, 541020, 541026, 541033, 541040, 932606, 932609, 932612, 933107, 933110, 933218, 933225, 933232, 933287, 933297, 933301, 933309, 1079242, 1079250, 1079255, 1079265]\n\n# from build id\none_gadget('b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0')\n#=> [324286, 324293, 324386, 1090444]\n\n```\n\n### To Python Lovers\n```python\nimport subprocess\ndef one_gadget(filename):\n  return [int(i) for i in subprocess.check_output(['one_gadget', '--raw', filename]).decode().split(' ')]\n\none_gadget('\u002Flib\u002Fx86_64-linux-gnu\u002Flibc.so.6')\n#=> [932606, 932609, 932612]\n\n```\n\n## Make OneGadget Better\nAny suggestion or feature request is welcome! Feel free to send a pull request.\n\nPlease let me know if you find any libc that make OneGadget fail to find gadgets.\nAnd, if you like this work, I'll be happy to be [starred](https:\u002F\u002Fgithub.com\u002Fdavid942j\u002Fone_gadget\u002Fstargazers) :grimacing:\n","OneGadget 是一个用于在 libc.so.6 中查找能够实现远程代码执行（RCE）的单个 gadget 的工具。它使用符号执行技术来分析并找到满足条件的 gadgets，从而避免了每次手动使用 objdump 或 IDA-pro 的繁琐过程。该工具支持 i386、amd64 和 aarch64 架构，并允许用户通过简单的命令行接口指定输出级别、格式等参数以获得所需信息。OneGadget 适用于 CTF 比赛中的 pwn 类题目挑战，帮助参赛者快速定位可利用的漏洞点，提高解题效率。","2026-06-11 03:15:35","top_language"]