one-gadget RCE: a3e78b9d154d9d0936d3a1fda1743479
see also: one-gadget RCE in Ubuntu 16.04 libc - うさぎ小屋
environment
a libc for Ubuntu 16.04 or Ubuntu 16.10, x86_64
$ md5sum /lib/x86_64-linux-gnu/libc.so.6
a3e78b9d154d9d0936d3a1fda1743479 /lib/x86_64-linux-gnu/libc.so.6
$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu5) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.4.0 20160609.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
Native POSIX Threads Library by Ulrich Drepper et al
BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
gadgets
0x4526a
[rsp+0x30] = NULL
4526a: 48 8b 05 47 dc 37 00 mov rax,QWORD PTR [rip+0x37dc47] # 3c2eb8 <environ>
45271: 48 8d 3d ff 6e 14 00 lea rdi,[rip+0x146eff] # 18c177 "/bin/sh"
45278: 48 8d 74 24 30 lea rsi,[rsp+0x30]
4527d: c7 05 19 02 38 00 00 mov DWORD PTR [rip+0x380219],0x0 # 3c54a0 <__abort_msg@@GLIBC_PRIVATE+0x8c0>
45284: 00 00 00
45287: c7 05 13 02 38 00 00 mov DWORD PTR [rip+0x380213],0x0 # 3c54a4 <__abort_msg@@GLIBC_PRIVATE+0x8c4>
4528e: 00 00 00
45291: 48 8b 10 mov rdx,QWORD PTR [rax]
45294: e8 27 69 08 00 call cbbc0 <execve@@GLIBC_2.2.5>
0x6f5a6
r12 = NULL
6f5a6: 48 8d 3d ca cb 11 00 lea rdi,[rip+0x11cbca] # 18c177 "/bin/sh"
6f5ad: 48 8d 15 c0 cb 11 00 lea rdx,[rip+0x11cbc0] # 18c174 "-c"
6f5b4: 48 8d 35 c1 cb 11 00 lea rsi,[rip+0x11cbc1] # 18c17c "sh"
6f5bb: 45 31 c0 xor r8d,r8d
6f5be: 4c 89 e1 mov rcx,r12
6f5c1: 31 c0 xor eax,eax
6f5c3: e8 a8 c8 05 00 call cbe70 <execl@@GLIBC_2.2.5>
0xcc543
r12 = NULLrcx = NULL
cc543: 48 8d 3d 2d fc 0b 00 lea rdi,[rip+0xbfc2d] # 18c177 "/bin/sh"
cc54a: e9 81 fd ff ff jmp cc2d0 <execvpe@@GLIBC_2.11+0x120>
...
cc2d0: 4c 89 e2 mov rdx,r12
cc2d3: 48 89 ce mov rsi,rcx
cc2d6: e8 e5 f8 ff ff call cbbc0 <execve@@GLIBC_2.2.5>
0xcc618
rax = NULLr12 = NULL
cc618: 48 8d 3d 58 fb 0b 00 lea rdi,[rip+0xbfb58] # 18c177 "/bin/sh"
cc61f: 48 89 c6 mov rsi,rax
cc622: e9 38 fe ff ff jmp cc45f <execvpe@@GLIBC_2.11+0x2af>
...
cc45f: 4c 89 e2 mov rdx,r12
cc462: e8 59 f7 ff ff call cbbc0 <execve@@GLIBC_2.2.5>
0xef6c4
[rsp+0x50] = NULL
ef6c4: 48 8b 05 ed 37 2d 00 mov rax,QWORD PTR [rip+0x2d37ed] # 3c2eb8 <environ>
ef6cb: 48 8d 74 24 50 lea rsi,[rsp+0x50]
ef6d0: 48 8d 3d a0 ca 09 00 lea rdi,[rip+0x9caa0] # 18c177 "/bin/sh"
ef6d7: 48 8b 10 mov rdx,QWORD PTR [rax]
ef6da: e8 e1 c4 fd ff call cbbc0 <execve@@GLIBC_2.2.5>
0xf0567
[rsp+0x70] = NULL
f0567: 48 8b 05 4a 29 2d 00 mov rax,QWORD PTR [rip+0x2d294a] # 3c2eb8 <environ>
f056e: 48 8d 74 24 70 lea rsi,[rsp+0x70]
f0573: 48 8d 3d fd bb 09 00 lea rdi,[rip+0x9bbfd] # 18c177 "/bin/sh"
f057a: 48 8b 10 mov rdx,QWORD PTR [rax]
f057d: e8 3e b6 fd ff call cbbc0 <execve@@GLIBC_2.2.5>
0xf5b10
[rbp-0xf8] = NULLrcx = NULL
f5b10: 48 8d 3d 60 66 09 00 lea rdi,[rip+0x96660] # 18c177 "/bin/sh"
f5b17: eb bc jmp f5ad5 <posix_spawnp@@GLIBC_2.15+0x725>
...
f5ad5: 48 8b 95 08 ff ff ff mov rdx,QWORD PTR [rbp-0xf8]
f5adc: 48 89 ce mov rsi,rcx
f5adf: e8 dc 60 fd ff call cbbc0 <execve@@GLIBC_2.2.5>