pypi version pypi version pypi download GitHub release GitHub All Releases GitHub last commit

WindowsLinuxUbuntuKaliFreeBSDDeepinDebianCent OS

What?

sgtlibc is a a offline python-lib for search libc function.

Install

pip install sgtlibc

Usage

usage: main.py [-h] [-d [DUMP ...]] [-i [INDEX]] [-u [UPDATE]] [funcs_with_addresses]

for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s = sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`

positional arguments:
  funcs_with_addresses  specify `func-name` and `func address` , split by `|`,eg: puts:aa0+read:140 , its means func-put's address = 0xaa0;func-read addr = 0x140 (default: None).

options:
  -h, --help            show this help message and exit
  -d [DUMP ...], --dump [DUMP ...]
                        select funcs to dump its info (default: ['__libc_start_main_ret', 'system', 'dup2', 'read', 'write', 'str_bin_sh']).
  -i [INDEX], --index [INDEX]
                        db index on multi-database found occation (default: 0).
  -u [UPDATE], --update [UPDATE]
                        update current libc database from internet , need non-microsoft-windows environment (default: False).

Quick Start

sgtlibc puts:aa0
sgtlibc puts:aa0+read:140
sgtlibc puts:aa0+read:140 --dump system binsh

import sgtlibc
s = sgtlibc.Searcher()
s.add_condition('puts', 0xaa0)
s.add_condition('read',0x140)
print(s.dump())
print(s.dump(['system','str_bin_sh']))

Example

  • main args specify func-name and func address ,**SHOULD split by | **

    eg: puts:aa0+read:140 which means:

    • func-puts address = 0xaa0
    • func-read address = 0x140
  • --update is for update libc database from internet base on libc-database , require non-microsoft-window system

  • run [python code above](/#/Quick Start) , you’ll get output-result like following shows:

image-20220605212842313

  • run command in terminal , you’ll get output-result like following shows:

    image-20220605213023151

  • use in pwntools

from pwn import * # should run pip install pwntools before
import sgtlibc
s = libc.Searcher()
puts_addr = 0xff1234567aa0 # from leak data
s.add_condition('puts',puts_addr)
libc = s.dump() # search libc , if returns multi-result ,default use index-0's result
offset = puts_addr - libc[sgtlibc.s_puts]  # puts_write
system_addr = p64(libc[sgtlibc.s_system] + offset)
binsh_addr = p64(libc[sgtlibc.s_binsh] + offset)

Notice

default libc database is update long-time ago , we fully recommanded to update it by run sgtlibc --update

Status

Alt

GitHub

View Github