Применение Q_GADGET в C &QtQuick / Хабр

Aarch64

$ one_gadget spec/data/aarch64-libc-2.27.so
# 0x3f160 execve("/bin/sh", sp 0x70, environ)# constraints:#   address x20 0x338 is writable#   x3 == NULL## 0x3f184 execve("/bin/sh", sp 0x70, environ)# constraints:#   addresses x19 0x4, x20 0x338 are writable#   [sp 0x70] == NULL## 0x3f1a8 execve("/bin/sh", x21, environ)# constraints:#   addresses x19 0x4, x20 0x338 are writable#   [x21] == NULL || x21 == NULL## 0x63e90 execl("/bin/sh", x1)# constraints:#   x1 == NULL

Combine with script

Pass your exploit script as one_gadget’s arguments, it can
try all gadgets one by one, so you don’t need to try every possible gadgets manually.

Createcookie

Stores a value in a cookie, unique to this gadget.

«` javascript
createCookie: function (name, value, days){}
«`

Where:

• name — The name (key) of the cookie to store.
• value — The value to store in the cookie.
• days — The number of days to keep the cookie active.

Erasecookie

Removes a cookie value.

Where:

• name — The name of the cookie value to erase.

Getbaseurl

Helper function to get the context path for JIRA. Necessary for remote requests.

Getconfig

Gets the config form object, wrapper div for all config HTML (jQuery Object). It is contained within the object returned from getGadget().

Using the Atlassian Gadgets JavaScript FrameworkWriting an Atlassian GadgetGadget Developer Documentation

Getgadget

Gets the gadget object, wrapper div for all gadget HTML (jQuery object).

Getmsg

Gets the i18n string from the included language bundles. Returns the key if it does not exist.

Where:

• key — The key of the message to retrieve.

Getpref

Gets a preference by name.

Where:

• name — The name of the preference to retrieve.

Getview

Gets the view object, wrapper div for all view HTML (jQuery object). This object is a div with the class of «view» and is contained within the object returned from getGadget().

Getviewmode

Returns the current view mode as a string. For example «Canvas».

Hideloading

Hides the loading indicator.

Implementation

OneGadget uses symbolic execution to find the constraints of gadgets to be successful.

The article introducing how I develop this tool can be found on my blog.

In ruby scripts

require'one_gadget'OneGadget.gadgets(file: '/lib/x86_64-linux-gnu/libc.so.6')#=> [324293, 324386, 1090444]# or in shorter wayone_gadget('/lib/x86_64-linux-gnu/libc.so.6',level: 1)#=> [324293, 324386, 939679, 940120, 940127, 940131, 1090444, 1090456]# from build idone_gadget('b417c0ba7cc5cf06d1d1bed6652cedb9253c60d0')#=> [324293, 324386, 1090444]

Installation

Available on RubyGems.org!

Note: requires ruby version >= 2.1.0, you can use ruby —version to check.

Item и property

Такие типы можно использовать как свойства и делать на них привязки. Это осуществляется через общий тип(generic type):

Item {
    property var film

    //...
    Label {
        text: film.year
        //...
    }

    Label {
        text: film.countries
        //...
    }
  //...
}

Так как до инстанцирования тип неизвестен, то во время выполнения ругается(но не падает): TypeError: Cannot read property ‘year’ of undefined.

Убрать эту ругань можно инициализировав свойство, каким-нибудь экземпляром:

QQmlApplicationEngine engine;

Film film;
engine.rootContext()->setContextProperty("emptyFilm", QVariant::fromValue(film));

Item {
    property var film: emptyFilm

    //...
    Label {
        text: film.year
        //...
    }

    Label {
        text: film.countries
        //...
    }
 //...
}

Это оказывается очень удобно, когда используется StackView, на одном экране выводишь модель с минимум информацией, а на следующем экране более подробно:

По-моему личному мнению, такие value type очень удобные.

Make onegadget better

Any suggestion or feature request is welcome! Feel free to send a pull request.

Please let me know if you find any libc that make OneGadget fail to find gadgets.
And, if you like this work, I’ll be happy to be starred😬

Onegadget

When playing ctf pwn challenges we usually need the one-gadget RCE (remote code execution),
which leads to call execve(‘/bin/sh’, NULL, NULL).

This gem provides such gadgets finder, no need to use objdump or IDA-pro every time like a fool 😉To use this tool, type one_gadget /path/to/libc in command line and enjoy the magic 😆

Overview

Please refer to Creating a Gadget JavaScript Object for details on constructing a gadget object. The methods provided on this page can be called not only on the constructed object, but also from any method provided in the construction configs.

All methods passed in as config parameters (e.g. the view template, the config descriptor, …) are run in the scope of the gadget itself. Therefore, this refers to the gadget and any of the following methods can be called on this.

Under the hood, the constructor method AJS.Gadget(…) is a factory method that constructs a specific type of gadget depending on the config parameters passed in. The three kinds of gadgets are:

• Standard
• Configured (inherits all of the methods from Standard Gadget)
• Configurable (inherits all of the methods from Configured Gadget)

Each type is described below.

Q_gadget и q_invokable

Почему то мы не можем использовать ValueType в методах помеченными Q_INVOKABLE. За то можно возвращать QVariant с ValueType! И так же использовать его в js! Это очень удобно в моделях, заместо множества ролей и switch:

QVariant BucketModel::data(const QModelIndex &index, int role) const
{
    switch (role)
    {
        case Bucket:
            return QVariant::fromValue(m_buckets[index.row()]);
        default:
            return QVariant();
    }

}

QHash<int, QByteArray> BucketModel::roleNames() const
{
    static const QHash<int, QByteArray> roles = {
        {Bucket, "bucket" }
    };

    return roles;
};

В делегате как обычно:

delegate: ItemDelegate {
    width: parent.width
    text: bucket.name

    Image{
        visible: bucket.id === b2App.settings.bucketId

        anchors{
            right:parent.right
            verticalCenter: parent.verticalCenter
            margins: 8
        }

        source: "qrc:/icons/tick/tick.png"
    }

Readcookie

Retrieve a previously stored cookie value.

Where:

• name — The name of the cookie value to retrieve.

Resize

Resizes the iframe to fit the content.

Show all gadgets

Sometimes one_gadget finds too many gadgets to show them in one screen,
by default gadgets would be filtered automatically according to the difficulty of constraints.

Use option —level 1 to show all gadgets found instead of only those with higher probabilities.

$ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --level 1
# 0x4f2c5 execve("/bin/sh", rsp 0x40, environ)# constraints:#   rsp & 0xf == 0#   rcx == NULL## 0x4f322 execve("/bin/sh", rsp 0x40, environ)# constraints:#   [rsp 0x40] == NULL## 0xe569f execve("/bin/sh", r14, r12)# constraints:#   [r14] == NULL || r14 == NULL#   [r12] == NULL || r12 == NULL## 0xe5858 execve("/bin/sh", [rbp-0x88], [rbp-0x70])# constraints:#   [[rbp-0x88]] == NULL || [rbp-0x88] == NULL#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL## 0xe585f execve("/bin/sh", r10, [rbp-0x70])# constraints:#   [r10] == NULL || r10 == NULL#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL## 0xe5863 execve("/bin/sh", r10, rdx)# constraints:#   [r10] == NULL || r10 == NULL#   [rdx] == NULL || rdx == NULL## 0x10a38c execve("/bin/sh", rsp 0x70, environ)# constraints:#   [rsp 0x70] == NULL## 0x10a398 execve("/bin/sh", rsi, [rax])# constraints:#   [rsi] == NULL || rsi == NULL#   [[rax]] == NULL || [rax] == NULL

Showconfig

Displays the configuration screen with all fields defined during construction.

Showloading

Shows an indicator that the gadget is loading.

Showmessage

Displays a message in a dialogue box.

Where:

• type — (String.) Style of message. Options include «error, warning, info».
• msg — (String, Object.) An HTML string or jQuery object containing message.
• dismissible — (Boolean.) If set to false, no cancel button will be available.
• usePopup — (Boolean.) If set to false, an AUI Dialog is used (otherwise defaults to AUI Message). Available since Atlassian Gadgets 2.0.6.

Showview

Displays the view. When refreshing content, the view template is called. If not refreshing content, this method simply displays the currently rendered view.

Where:

• refresh — Specifies whether or not to refresh the view content.

Gets the footer object, wrapper div for all footer HTML (jQuery Object). This object is a JQuery wrapped div with the class of «footer».

Standard gadget

A Standard Gadget is constructed when a view parameter is passed in but no config parameter. This is useful when no configuration is needed for the gadget. An example is the Quick Issue Create gadget in JIRA.

All other gadget types extend the Standard Gadget type.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

return {
    showMessage: function (type, msg, dismissible){}, /* Displays a message in dialogue box. */
    savePref: function (name, value){},               /* Saves user preferences locally and to the database. */
    setViewMode: function (){},                       /* Toggles class of gadget to the specified view. */
    getViewMode: function (){},                       /* Returns the current view mode as a string. For example "Canvas". */
    getBaseUrl: function (){},                        /* Helper function to get the context path for jira. */
    getPrefs: function (){},                          /* Gets user preference object. */
    getPref: function (name){},                       /* Some sugar for getting a preference by name */
    getPrefArray: function (name){},                  /* Retrieves a user pref array */
    getMsg: function (key){},                         /* Gets the i18n String */
    getGadget: function (){},                         /* Gets the gadget object, wrapper div for all gadget html (jQuery Object) */
    resize: function (){},                            /* Resizes iframe to fit content */
    showLoading: function (){},                       /* Shows loading indicator */
    hideLoading: function (){},                       /* Hides loading indicator */
    createCookie: function (name, value, days){},     /* Stores a value into a cookie, unique to this gadget. */
    readCookie: function (name){},                    /* Retrieves a previously stored cookie value */
    eraseCookie: function (name){}                    /* Removes a cookie value */
};

Usage

Reorder gadgets according to the distance of given functions.

$ one_gadget /lib/x86_64-linux-gnu/libc.so.6 --near exit,mkdir
# [OneGadget] Gadgets near exit(0x43120):# 0x4f2c5 execve("/bin/sh", rsp 0x40, environ)# constraints:#   rsp & 0xf == 0#   rcx == NULL## 0x4f322 execve("/bin/sh", rsp 0x40, environ)# constraints:#   [rsp 0x40] == NULL## 0x10a38c execve("/bin/sh", rsp 0x70, environ)# constraints:#   [rsp 0x70] == NULL## [OneGadget] Gadgets near mkdir(0x10fbb0):# 0x10a38c execve("/bin/sh", rsp 0x70, environ)# constraints:#   [rsp 0x70] == NULL## 0x4f322 execve("/bin/sh", rsp 0x40, environ)# constraints:#   [rsp 0x40] == NULL## 0x4f2c5 execve("/bin/sh", rsp 0x40, environ)# constraints:#   rsp & 0xf == 0#   rcx == NULL#

Regular expression is acceptable.

Pass an ELF file as the argument, OneGadget will take all GOT functions for processing.