one_gadgetis simply an
execve("/bin/sh")command that is present in gLIBC, and this can be a quick win with GOT overwrites - next time the function is called, the
one_gadgetis executed and the shell is popped.
The value of this variable is a pointer to the function that
mallocuses whenever it is called.
__malloc_hookpoints to also gets called - so if we can overwrite this with, say, a
one_gadget, and somehow trigger a call to
malloc(), we can get an easy shell.
one_gadget. To install it, run:
malloc()a heap function? How will we use it on the stack? Well, you can actually trigger
printf("%10000$c")(this allocates too many bytes for the stack, forcing libc to allocate the space on the heap instead). So, if you have a format string vulnerability, calling malloc is trivial.
libcversion may not even have working
one_gadgets. As such, feel free to play around with the GOT overwrite binary and see if you can get a
one_gadgettool needs to be added to libc base as it's just an offset.