niklasb/libc-database niklasb/libc-database

  • Stars
    star
    1,626
  • Rank 27,805 (Top 0.6 %)
  • Language
    Shell
  • License
    MIT License
  • Created about 9 years ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
niklasb/libc-database
github

niklasb

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Build a database of libc offsets to simplify exploitation

Web interface

libc-database now has a web service and frontend. Visit https://libc.rip/ to try it out! Read https://github.com/niklasb/libc-database/tree/master/searchengine if you are interested in the API.

Building a libc offset database

If you're getting errors, please check the "Requirements" section below.

Fetch the desired libc categories and extract the symbol offsets. It will not download anything twice, so you can also use it to update your database:

$ ./get  # List categories
$ ./get ubuntu debian  # Download Ubuntu's and Debian's libc, old default behavior
$ ./get all  # Download all categories. Can take a while!

You can also add a custom libc to your database.

$ ./add /usr/lib/libc-2.21.so

Find all the libc's in the database that have the given names at the given addresses. Only the last 12 bits are checked because randomization usually works on page size level.

$ ./find printf 260 puts f30
archive-glibc (libc6_2.19-10ubuntu2_i386)

Find a libc from the leaked return address into __libc_start_main.

$ ./find __libc_start_main_ret a83
ubuntu-trusty-i386-libc6 (libc6_2.19-0ubuntu6.6_i386)
archive-eglibc (libc6_2.19-0ubuntu6_i386)
ubuntu-utopic-i386-libc6 (libc6_2.19-10ubuntu2.3_i386)
archive-glibc (libc6_2.19-10ubuntu2_i386)
archive-glibc (libc6_2.19-15ubuntu2_i386)

Dump some useful offsets, given a libc ID. You can also provide your own names to dump.

$ ./dump libc6_2.19-0ubuntu6.6_i386
offset___libc_start_main_ret = 0x19a83
offset_system = 0x00040190
offset_dup2 = 0x000db590
offset_recv = 0x000ed2d0
offset_str_bin_sh = 0x160a24

Check whether a library is already in the database.

$ ./identify /usr/lib/libc.so.6
local-f706181f06104ef6c7008c066290ea47aa4a82c5

Or find a libc using a hash (currently BuildID, MD5, SHA1 and SHA256 is implemented):

$ ./identify bid=ebeabf5f7039f53748e996fc976b4da2d486a626
libc6_2.17-93ubuntu4_i386
$ ./identify md5=af7c40da33c685d67cdb166bd6ab7ac0
libc6_2.17-93ubuntu4_i386
$ ./identify sha1=9054f5cb7969056b6816b1e2572f2506370940c4
libc6_2.17-93ubuntu4_i386
$ ./identify sha256=8dc102c06c50512d1e5142ce93a6faf4ec8b6f5d9e33d2e1b45311aef683d9b2
libc6_2.17-93ubuntu4_i386

Download the whole libs corresponding to a libc ID.

$ ./download libc6_2.23-0ubuntu10_amd64
Getting libc6_2.23-0ubuntu10_amd64
    -> Location: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu10_amd64.deb
    -> Downloading package
    -> Extracting package
    -> Package saved to libs/libc6_2.23-0ubuntu10_amd64
$ ls libs/libc6_2.23-0ubuntu10_amd64
ld-2.23.so ... libc.so.6 ... libpthread.so.0 ...

Requirements

General

To run these scripts, you will need following command on your PATH:

  • readelf
  • objdump
  • strings
  • perl
  • find
  • grep
  • md5sum
  • sha1sum
  • sha256sum
  • file

Debian-based (Ubuntu, Debian, Kali Linux, ParrotSec)

  • mktemp
  • perl
  • wget
  • ar
  • tar
  • grep
  • zstd

RPM-based (category 'rpm')

  • mktemp
  • perl
  • wget
  • rpm2cpio
  • cpio
  • grep

CentOS-based

In addition to the RPM-Based requirements, you will need:

  • wget
  • gzip
  • grep

Pacman-based

  • mktemp
  • perl
  • grep
  • sed
  • cat
  • wget
  • zstd
  • xz-utils
  • tar

APK Based

  • mktemp
  • perl
  • wget
  • tar
  • gzip
  • grep

Launchpad-based

In addition to the Debian-based requirements, you will need:

  • jq

Install everything

To install everything on Debian 10, run these commands:

apt-get update
apt-get install -y \
  binutils file \
  wget \
  rpm2cpio cpio \
  zstd jq

More Repositories

1

dryscrape

[not actively maintained] A lightweight Python library that uses Webkit to enable easy scraping of dynamic, Javascript-heavy web pages
Python
532
star
2

3dpwn

VirtualBox 3D exploits & PoCs
Python
160
star
3

sploits

C++
156
star
4

hack2win-chrome

This is collaborative work of Ned Williamson and Niklas Baumstark
C++
131
star
5

contest-algos

C++
121
star
6

bspfuzz

C++
90
star
7

35c3ctf-challs

Python
88
star
8

elgoog

elgoog/searchme challenge from 34C3 CTF / WCTF 2018: sources & exploit
C
66
star
9

webkit-server

[not actively maintained] The C++ webkit-server from capybara-webkit with useful extensions and Python bindings
C++
48
star
10

memfuzzing

Memory fuzzing based on sinn3r's In Memory Fuzzer
Python
26
star
11

ruby-dynamic-binding

Implements a flexible form of dynamic binding to Ruby which allows to run a Proc inside a custom name lookup context
Ruby
26
star
12

bingrep

A small utility to grep for pointers & binary data in memory dumps / live process memory
C++
23
star
13

34c3ctf-sols

Solutions for my 34C3CTF challenges
Python
22
star
14

dump-seccomp

GDB plugin to dump SECCOMP rules set via prctnl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)
C
22
star
15

tcr

ICPC team contest reference of German team hacKIT
C++
19
star
16

ctf-tools

Python
16
star
17

rpi-qemu

Shell
11
star
18

haskell-brainfuck

BF interpreter written in Haskell as a small exercise
Haskell
8
star
19

ub-to-rce

C
7
star
20

kitbot

Yet another, minimalistic IRC bot
Ruby
7
star
21

rubyfun

Ruby
6
star
22

33c3ctf-mario

Source for mario challenge from 33C3 CTF
Python
6
star
23

apache-ssl-key-extract

Modification of passe-partout utility (http://www.hsc.fr/ressources/outils/passe-partout/) to read memory from files instead of relying on ptrace
C
5
star
24

33c3ctf-coercive

code and exploit for 33C3 CTF task 'coercive'
Haskell
4
star
25

codingpad-ideone

A modification of the excellent Codingpad Chrome extension by Felix Kling that uses ideone.com as a backend instead of codepad.org.
JavaScript
4
star
26

pbbs-maxflow

C++
3
star
27

gdbinit

Python
3
star
28

mona

Corelan Repository for mona.py
Python
3
star
29

arch-initramfs-dropbear-decrypt

mkinitcpio hooks for Arch Linux to unlock encrypted partitions on boot via remote login
Shell
3
star
30

save-the-robot

TeX
3
star
31

boxes

Stuff to manage virtual machines
Python
3
star
32

chrome-builds

3
star
33

linux-syscalls

Create tables to get an overview over system calls numbers and signatures for x86 and x86-64
Python
3
star
34

haskell-soy

A Haskell implementation of Google's Closure Templates
Haskell
2
star
35

vvz-ssh

An SSH tunnel for VVZ
Ruby
2
star
36

niklasb.github.com

My github pages
2
star
37

sudoku-pdf

A set of scripts to generate Sudoku puzzles and write them to a PDF
Python
2
star
38

lz-index

Implementation of an LZ index based on the SDSL library
C++
2
star
39

sslutils

Some helpful(?) stuff for working with CAs
Ruby
2
star
40

winhook

C++
2
star
41

crhash

A customizable hash brute forcer
C++
2
star
42

ctf-glicko2

Source code for Glicko-2 rating app for CTF teams 2016.
HTML
2
star
43

ida-colors

1
star
44

gpuc-rainbow

C++
1
star
45

test

1
star
46

dotfiles

Shell
1
star
47

webgdb

JavaScript
1
star
48

linux-config

Shell
1
star
49

faustctf-vpn-gateway

VPN setup used for FaustCTF
Shell
1
star
50

vimrc

My vimrc (loosely based on https://github.com/nvie/vimrc)
Vim Script
1
star
51

contest-tasks-webapp

Hosted at http://dtun.de/tasks/
PHP
1
star
52

linux-notes

Notes for Linux stuff
1
star
53

xkcd-hash

C
1
star
54

random-scripts

Shell
1
star