Skip to content

a ctf tool for identifying libc versions from info leaks

Notifications You must be signed in to change notification settings

straybro/findlibc

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

findlibc

This is a small tool I wrote to help identify a version of libc given some leaked addresses and their symbol names.

This comes in handy when tackling CTF challenges where libc isn't provided, but we're able to leak some addresses. Using these leaked addresses, we can make an educated guess as to the libc version, potentially easing the burden of exploitation.

Methodology

Given a set of 2 or more leaked symbols, it will iterate over a collection of libc files and find one whose symbol table contains a set of offsets for the provided symbol names which matches the relative offsets of the provided address leaks. That was a mouthful, these comments are a bit more thoughtful.

Usage - Interactive

The tool can be used interactively, like so: python -m findlibc.

Usage - Script

The tool can also be used in your scripts.

import findlibc

funcs = {
	"read":   0x7f76847cf250,
	"puts":   0x7f7684747690,
	"system": 0x7f768471d390,
	"free":   0x7f768475c4f0,
	"malloc": 0x7f768475c130,
}

results = findlibc.find(funcs, arch='any', many=True)

The first argument should be a dictionary of symbols. The following option arguments are first an architecture (default 'any') and second whether you want all macthes (True, returns a list of tuples) or the first match (False, default, returns a tuple).

The returned tuple(s) are (libc, filename) where libc is a pwntools.ELF and filename is a string.

Dependencies

Hard dependency on pwntools. This also implies a dependency on python2.7, as that is what pwntools supports.

If you want to get it running on any other version using a custom or unofficial pwntools fork, GLHF.

Libc Files

I've included some random libc files. These are what I had laying around in my CTF working directory.

You can get many more from here, but these will slow it down a lot. The code is written to handle this dataset, however, and will filter out extraneous libs. pwntools does choke on some parts of that set, and might need massaging.

About

a ctf tool for identifying libc versions from info leaks

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%