ret2libc

Ok I believe I have found a reliable method to automate the leaking of system during a rop I have been learning for 2 days and wrote a little bit of code I was wondering if anyone wants to see the methods I have for leaking libc automagicly from a binary mind you I haven't been doing this for over two days But I'm pretty sure I did it right. Just looking for people interested in looking over the code to help me learn.

Comments

  • leaking system via libc from binary using gdb + peda & pygdbmi

  • edited December 2018

    @huntingbugs said:

    leaking system via libc from binary using gdb + peda & pygdbmi

    [code]
    def Leak_libc(program_name):
    """Build and debug an application programatically
    For a list of GDB MI commands, see https://www.sourceware.org/gdb/onlinedocs/gdb/GDB_002fMI.html
    """
    #verbose=True
    # Initialize object that manages gdb subprocess
    gdbmi = GdbController(verbose=False)

    # Send gdb commands. Gdb machine interface commands are easier to script around,
    # hence the name "machine interface".
    # Responses are automatically printed as they are received if verbose is True.
    # Responses are returned after writing, by default.
    
    # Load the file
    responses = gdbmi.write("-file-exec-and-symbols %s" % program_name)
    # Add breakpoint
    responses = gdbmi.write("-break-insert main")
    # Run
    responses = gdbmi.write("-exec-run")
    Leak_libc_Address = gdbmi.write("print system")
    print Leak_libc_Address
    
    gdbmi.exit()
    return Leak_libc_Address 
    

    [code]

  • now inside of the response json You will have the leaked libc address

    u'$1 = {int (const char *)} 0xc5e14870 <__libc_system>', 'stream': 'stdout'}, {'message': None, 'type': 'console', 'payload': u'\n', 'stream': 'stdout'}, {'stream': 'stdout', 'message': u'done', 'type': 'result', 'payload': None, 'token': None}]

    now we just need to parse

    } 0xc5e14870 <__libc_system>

    between the } and < and we have succesfully leaked the system location

    please correct me if I am wrong but this shit intrigues me but after two days automating this whole thing is fun I also have some other code around this that does far more I want to share just give some positive posts and let me know where to release it on here and maybe it can help you guys beat some ctfs quicker as it at this stage will almost be able to determine the amount of bytes needed to trigger it and also create patterns and locate offsets to assemble the rop chain the reason I made this is I have read I need to obtain system as well as /bin/sh locations so 1 left ?

    :)

  • This works as long as ASLR is disabled. With ASLR enabled you'll need some kind of in-session info-leak or enumeration option to acquire libc addresses.

    You have to be careful not to be steered wrong by gdb when running this code on a system with ASLR enabled: by default gdb will disable randomization, even on an ASLR-enabled system. If you want gdb to follow the system's ASLR setting, use "set disable-randomization off".

  • edited December 2018

    https://paste.ofcode.org/KrMCtpV2aKzYNhLWJZXkXQ

    I watched the above video and started coding this lol

  • edited December 2018

    I'm not sure how to format that but it works 98% of the time on the challenge im working on now mind you I have only been working frolic 3 days and started to try coding this hoping to gain a better understanding of how it all works so I can finish the other portion that can determine the size of a buffer and create a pattern than overflow it get back the pattern and create the rop chain by itself

    I also turned aslr off the challenge has NX enabled and partial RELRO

  • You should probably watch ippsecs video on october, skip to the privesc part

  • can you link me im new here not sure how everything is situated tutorial wise or what videos may be good

Sign In to comment.