diff options
author | Niklas Baumstark <niklas.baumstark@gmail.com> | 2015-03-16 22:32:07 +0100 |
---|---|---|
committer | Niklas Baumstark <niklas.baumstark@gmail.com> | 2015-03-16 22:32:07 +0100 |
commit | 9616996dcd623a094bbe975f7e11118d33523afb (patch) | |
tree | f74a84eb8d47f67e29ac7431d42ee49d7cb7d269 /README.md | |
download | libc-database-9616996dcd623a094bbe975f7e11118d33523afb.tar.gz libc-database-9616996dcd623a094bbe975f7e11118d33523afb.zip |
initial commit
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..7f18790 --- /dev/null +++ b/README.md @@ -0,0 +1,32 @@ +## Building a libc offset database + +Fetch all the configured libc versions and extract the symbol offset + + $ ./get + +Find all the libc's in the database that have a given name at the given address +(only the last 12 bits are checked, because randomization usually works on page +size level) + + $ ./find printf 260 + archive-eglibc (id 2.15-0ubuntu10_amd64) + archive-glibc (id 2.19-10ubuntu2_i386) + archive-glibc (id 2.19-10ubuntu2_i386) + +Find a libc from the leaked return address into __libc_start_main. + + $ ./find __libc_start_main_ret a83 + ubuntu-trusty-i386 (id 2.19-0ubuntu6.6_i386) + archive-eglibc (id 2.19-0ubuntu6_i386) + ubuntu-utopic-i386 (id 2.19-10ubuntu2.3_i386) + archive-glibc (id 2.19-10ubuntu2_i386) + archive-glibc (id 2.19-15ubuntu2_i386) + +Dump some useful offsets, given a libc ID: + + $ ./dump 2.19-0ubuntu6.6_i386 + offset___libc_start_main_ret = 0x19a83 + offset_system = 0x00040190 + offset_dup2 = 0x000db590 + offset_recv = 0x000ed2d0 + offset_str_bin_sh = 0x160a24 |