one_gadget RCE
What is one_gadget RCE?
one_gadget RCEAn exploitation shortcut in CTFs and real exploits that calls a single libc address to spawn a shell, provided register and stack constraints are met.
A one_gadget is a single instruction sequence inside glibc that ultimately calls execve("/bin/sh", NULL, NULL) when reached with specific register and stack preconditions. The popular tool one_gadget by david942j scans libc to enumerate these addresses and their constraints, such as rax == 0 or rsp+0x40 == NULL. Exploiters who can hijack a single function pointer or return address (for example via GOT overwrite, FILE-stream attacks, or unsorted-bin attacks) can therefore obtain a shell without building a full ROP chain. Constraints must be carefully satisfied, often using ancillary gadgets or stack-pivots. Mitigations include constant-blinding, CFI, system_call-only sandboxes, and stripped or modified libcs that remove the canonical gadgets.
● Examples
- 01
Using one_gadget to spawn /bin/sh after a single GOT-overwrite primitive in a libc-2.31 binary.
- 02
FILE-stream exploit corrupting _IO_2_1_stdout_'s vtable to jump to a satisfied one_gadget.
● Frequently asked questions
What is one_gadget RCE?
An exploitation shortcut in CTFs and real exploits that calls a single libc address to spawn a shell, provided register and stack constraints are met. It belongs to the Attacks & Threats category of cybersecurity.
What does one_gadget RCE mean?
An exploitation shortcut in CTFs and real exploits that calls a single libc address to spawn a shell, provided register and stack constraints are met.
How does one_gadget RCE work?
A one_gadget is a single instruction sequence inside glibc that ultimately calls execve("/bin/sh", NULL, NULL) when reached with specific register and stack preconditions. The popular tool one_gadget by david942j scans libc to enumerate these addresses and their constraints, such as rax == 0 or rsp+0x40 == NULL. Exploiters who can hijack a single function pointer or return address (for example via GOT overwrite, FILE-stream attacks, or unsorted-bin attacks) can therefore obtain a shell without building a full ROP chain. Constraints must be carefully satisfied, often using ancillary gadgets or stack-pivots. Mitigations include constant-blinding, CFI, system_call-only sandboxes, and stripped or modified libcs that remove the canonical gadgets.
How do you defend against one_gadget RCE?
Defences for one_gadget RCE typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for one_gadget RCE?
Common alternative names include: one_gadget.
● Related terms
- attacks№ 569
Jump-Oriented Programming
A code-reuse exploitation technique (Bletsch et al., 2011) that chains gadgets ending in indirect jumps via a dispatcher, providing an alternative to ROP without using ret.
- vulnerabilities№ 667
Memory Corruption
An umbrella term for vulnerabilities where a program writes outside the bounds of intended memory, undermining type-safety, control flow, or data integrity.
- vulnerabilities№ 131
Buffer Overflow
A memory-safety flaw where a program writes past the end of an allocated buffer, corrupting adjacent memory and often enabling code execution.