-
Notifications
You must be signed in to change notification settings - Fork 22
/
main_arena
executable file
·89 lines (77 loc) · 2.21 KB
/
main_arena
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/env bash
# set -eux
:<<DESCRIPTION
This is a simple shell script to get main_arena offset of a given libc.
Usage: $ main_arena your_libc
avaiable on <https://github.com/0x01f/main_arena_offset>
DESCRIPTION
:<<COLORS
The following are defined color_variables.
Change the color of output stream as you like.
COLORS
# black='\033[0;30m'
# dark_gray='\033[1;30m'
# light_gray='\033[0;37m'
# blue='\033[0;34m'
# light_blue='\033[1;34m'
# green='\033[0;32m'
light_green='\033[1;32m'
# cyan='\033[0;36m'
# light_cyan='\033[1;36m'
# red='\033[0;31m'
# light_red='\033[1;31m'
# purple='\033[0;35m'
# light_purple='\033[1;35m'
# brown='\033[0;33m'
# yellow='\033[1;33m'
# white='\033[1;37m'
# default_color='\033[00m'
red_bold='\033[01;31m'
endc='\033[0m'
:<<printInfo
This function is set to print the result.
Use it like:
printInfo __malloc_hook_offset main_arena_offset.
printInfo
function printInfo()
{
printf "$light_green[+]__malloc_hook_offset :$endc$red_bold 0x%x$endc\n" $1
printf "$light_green[+]main_arena_offset :$endc$red_bold 0x%x$endc\n" $2
exit
}
:<<getOffset
As its name suggests, getOffset() is the function to get result.
It works on the following princple:
for 32-bit so:
main_arena_offset = __malloc_hook_offset + 0x18
I think it's wired but it works out for all the libcs in libc_database. Please inform me if you find a 32-bit libc with a wrong result.
for 64-bit so:
main_arena_offset - __malloc_hook_offset = (__realloc_hook_offset - __malloc_hook_offset) * 2
getOffset
function getOffset()
{
libc=$1
# deal with local libc(in case of symbolic link)
if [[ $(file $libc) =~ "symbolic link" ]]
then
libc=$(dirname $libc)"/"$(readlink $libc)
fi
mallocHook=$(objdump -j .data -d $libc|grep __malloc_hook@ |cut -d " " -f 1)
let mallocHook=16#$mallocHook
# 32-bit
if [[ $(file $libc) =~ "32-bit" ]]
then
let mainArena=($mallocHook+0x18)
printInfo "$mallocHook" $mainArena
fi
# 64-bit
reallocHook=$(objdump -j .data -d $libc|grep __realloc_hook@ |cut -d " " -f 1)
let reallocHook=16#$reallocHook
((offset=$mallocHook-$reallocHook))
let mainArena=($mallocHook+$offset*2)
printInfo "$mallocHook" $mainArena
}
:<<get_result
get result by calling getOffset.
get_result
getOffset $1