libc offset database searcher
Project description
LibcSearcher3
(Search libc function offset)
简介
这是针对CTF比赛所做的工具,需要Python版本大于等于 3.7
在泄露了Libc中的某一个函数地址后,常常为不知道对方所使用的操作系统及libc的版本而苦恼,常规方法就是挨个把常见的Libc.so从系统里拿出来,与泄露的地址对比一下最后12位。
为了不在这一块浪费太多生命,写了几行代码,方便以后重用。
这里用了libc-database的数据库。
使用前需要先进行初始化。
安装
$ git clone https://github.com/Ro0tk1t/LibcSearcher3.git
$ pip3 install -e LibcSearcher3
or
$ pip3 install LibcSearcher3
初始化
$ libcsearch --init
使用
实例化
from LibcSearcher3 import *
#第二个参数,为已泄露的实际地址,或最后12位(比如:d90),int类型
obj = LibcSearcher("fgets", 0x7ff39014bd90)
obj = LibcSearcher("fgets", 0x7ff39014bd90) # 使用一个已知符号地址作为初始约束,初始化 LibcSearcher
obj.add_condition("atoi", 218528) # 添加一个约束条件
print("[+]/bin/sh offset: ", hex(obj.dump("str_bin_sh"))) # 根据已有约束条件,查询某个符号在 Libc 中的地址
print("[+]system offset: ", hex(obj.dump("system")))
命令行
$ libcsearch --help
usage: libcsearch [-h] [-i] [-f FUNC] [-d ADDR] [-t TO_LEAK]
optional arguments:
-h, --help show this help message and exit
-i, --init 初始化libc库
-l LOCAL_LIBC, --local LOCAL_LIBC
添加本地libc信息
-f FUNC, --func FUNC 已泄露的函数名
-d ADDR, --addr ADDR 已泄露函数的实际地址
-t TO_LEAK, --to_leak TO_LEAK
需要泄露的函数偏移
$ libcsearch -f fgets -d 0x7ff39014bd90 -t system
Multi Results:
0: kali-glibc (id libc6-x32_2.31-3_amd64)
1: ubuntu-old-eglibc (id libc6-amd64_2.13-0ubuntu13.2_i386)
2: kali-glibc (id libc6-x32_2.31-3_i386)
3: ubuntu-old-glibc (id libc6_2.19-10ubuntu2_amd64)
4: archive-glibc (id libc6-amd64_2.23-0ubuntu10_i386)
Please supply more info using
add_condition(leaked_func, leaked_address).
You can choose it by hand
Or type 'exit' to quit: 0
[+] kali-glibc (id libc6-x32_2.31-3_amd64) be choosed.
[+] system offset: 0x40130
添加本地libc库信息
$ libcsearch -l /usr/lib32/libc-2.31.so
Adding local libc /usr/lib32/libc-2.31.so (id local-189747720230b84e629b7fb77ecb4006416e3ada /usr/lib32/libc-2.31.so)
-> Writing symbols to ../db/local-189747720230b84e629b7fb77ecb4006416e3ada.symbols
-> Writing version info
如果遇到返回多个libc版本库的情况,可以通过add_condition(leaked_func, leaked_address)来添加限制条件,也可以手工选择其中一个libc版本(如果你确定的话)。
其它
水平一般,代码很烂,如有bug,欢迎吐槽。
欢迎贡献不同linux发行版的libc信息。
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file LibcSearcher3-1.4.0.tar.gz.
File metadata
- Download URL: LibcSearcher3-1.4.0.tar.gz
- Upload date:
- Size: 3.1 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.7.17
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1117a433d09e9a12c37d4e8fb15cd7527a30bd6ac5b7010c3df0a8c6a4314cfe
|
|
| MD5 |
20a0ec646d70b8a007b9eb8d2542af21
|
|
| BLAKE2b-256 |
9e2a0a918da25ba71e6107cb6eaecafbd7af83b29570f26f6e30d27ac4b14397
|
File details
Details for the file LibcSearcher3-1.4.0-py3-none-any.whl.
File metadata
- Download URL: LibcSearcher3-1.4.0-py3-none-any.whl
- Upload date:
- Size: 3.2 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.7.17
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
55b51bf5ce381ead239116afcd4678cbbdc1cfba8ac9a453bc82445a1e5a490a
|
|
| MD5 |
46f4a63692e9e2e559fc4b954f343509
|
|
| BLAKE2b-256 |
e8c2b2d72d2bfa616cf081f820abc4457551f2a33eef9690e4beb728c3effb63
|
