pwntools icon indicating copy to clipboard operation
pwntools copied to clipboard

Published 20 hours ago verified publisher icon Gallopsled

Add libc to pwn template

Open ghsi10 opened this issue 3 years ago • 7 comments

Add libc to pwn template

ghsi10 avatar Jul 01 '22 10:07 ghsi10

What is the purpose of these changes? When is it useful and how does it work?

Arusekk avatar Aug 15 '22 10:08 Arusekk

It add a libc file argument to the pwn template. pwn template --host HOST --port PORT --libc=LIBC ./EXE

ghsi10 avatar Aug 15 '22 12:08 ghsi10

Thank you for replying, however I still do not know what the new argument does and why is it useful. Could you provide an example exploit produced by such a modified template, and justify why it is done this way?

Arusekk avatar Aug 15 '22 13:08 Arusekk

Of course, most CTFs provide the binary and libc. As part of the exploit many times we have to take advantage of the fact that we have the appropriate libc. For example if we want to do ret2libc we want to use libc.

Attached is an exploit example exp.zip

ghsi10 avatar Aug 15 '22 21:08 ghsi10

I think adding libc argument makes sense, but the way it is proposed in this PR does not work. @ghsi10 have you tested your change at all?

With your change, we would just get libc = os.path.basename(binary) line printed out by the pwn template command. I think what you want is something like libc = ELF({libc_repr}) if I understand the syntax correctly (I have not tested it of course, please do so!).

disconnect3d avatar Aug 17 '22 23:08 disconnect3d

I updated the template to be correct. I'm not sure how to compile and test it. I would appreciate an explanation :)

ghsi10 avatar Aug 19 '22 11:08 ghsi10

The quick&dirty way: just find wherever your pwntools is located, replace the relevant file(s), and run pwn template --whatever --args --you --added.

The less messy way: cd into your cloned fork and run python3 -m pwnlib.commandline.main template --whatever --args --and-so-on.

Arusekk avatar Aug 19 '22 13:08 Arusekk

Is there anything new with this?

ghsi10 avatar Sep 22 '22 11:09 ghsi10

This clearly does not work. libc_repr is not defined, and therefore a NameError is raised every time libc is set. I see that this could be a useful feature, but please please do test that your changes work before requesting a review. It will save everyone's time, and reduce the feedback round-trips count.

Arusekk avatar Sep 25 '22 12:09 Arusekk

@Arusekk it works for me locally now. Thanks for the help :)

image

ghsi10 avatar Sep 29 '22 20:09 ghsi10

Great, now I can see that the template works in normal cases. However, imagine the libc is not called libc.so.6 but instead libc.'); evil_code() #.so.6 —what does the code do then? I see that this is unlikely etc, but we should do the same as we do for the EXE path, i.e. the repr thing. Please read the code carefully and copy relevant parts.

Arusekk avatar Nov 15 '22 12:11 Arusekk

Closing in favor of #2212.

Arusekk avatar Jul 24 '23 17:07 Arusekk