Disclaimer: This update to @jvoisin code allows to target any libc, and also provides a database for important offsets of all libc versions
Okay first we need to identify the libc, the only requirement is the file path.
What we will do is compute the sha1 hash of the libc
Import Section:
import r2pipeCode Section:
r = r2pipe.open(libc_path)
hash_value=r.cmd("e file.sha1")
print('[+] libc sha1 %s' % hash_value)When we got the sha1 of the libc we will query the DB:
from tinydb import TinyDB, QueryCode Section:
db = TinyDB('fingerprints/db.json')
table = db.table('hashes')
Hash = Query()
result = table.search(Hash.hash == hash_value)
libc_id = result[0]['lib']
print('[+] libc fingerprint found -> id %s' % libc_id)And we have the id of our libc
Now that we have the offsets we just have to query the db for the offsets and extract them from the result:
from tinydb import TinyDB, QueryCode Section:
table = db.table('offsets')
Offsets = Query()
result = table.search(Offsets.lib == libc_id)
print('[+] libc start %s' % result[0]['__libc_start_main_ret'])
print('[+] libc system %s' % result[0]['system'])
print('[+] libc read %s' % result[0]['read'])
print('[+] libc write %s' % result[0]['write'])
print('[+] libc bin sh offsets %s' % result[0]['str_bin_sh'])And voila, profit!