forked from lieanu/LibcSearcher
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlibc.py
More file actions
executable file
·133 lines (115 loc) · 4.09 KB
/
libc.py
File metadata and controls
executable file
·133 lines (115 loc) · 4.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/usr/bin/env python2
import os
import struct
import logging
import logging.handlers
logging.basicConfig(format='%(asctime)s - %(filename)s:%(lineno)s - %(message)s',
level=logging.DEBUG)
class libc(object):
def __init__(self, func, funcaddr):
self.func = func
if isinstance(funcaddr, (int, long)):
self.funcaddr = funcaddr
elif isinstance(funcaddr, basestring):
if funcaddr.startswith("0x"):
funcaddr = funcaddr[2:]
self.funcaddr = int(funcaddr, 16)
self.offset = self.funcaddr & 0xfff
self.dbpath = os.path.join(os.path.split(os.path.realpath(__file__))[0], "database")
self.all = self.__construct_dict()
def __construct_dict(self):
all = {}
pfs = {8: 'B', 16: 'H', 32: 'I', 64: 'Q'}
for root, dirs, files in os.walk(self.dbpath):
for file in files:
fd = open(os.path.join(self.dbpath, file), "r")
mark = file.strip(".db")
all[mark] = []
for line in fd.readlines():
if line.startswith("0"):
line = line.strip("\n")
linelist = line.split(" ")
offset = struct.unpack(">" + pfs[len(linelist[0])*4], linelist[0].decode("hex"))[0]
all[mark].append((offset, linelist[-1]))
fd.close()
return all
def __search(self):
result = []
for k, v in self.all.items():
for pair in v:
if (self.offset, self.func) == (pair[0]&0xfff, pair[1]):
if (k, pair) not in result:
result.append((k, pair))
if len(result) == 1:
return result[0]
elif len(result) == 0:
logging.warning("No match! try other libc.")
self.listall()
return (0, (0,0))
else:
print "[x] Multi Results, Choose it manually, First Default: "
i = 0
for item in result:
print " ID: ", i
print " Version : ", item[0]
print " Function : ", item[1][1]
print " Address : ", hex(item[1][0])
i += 1
id = 0
while True:
try:
id = int(raw_input("Input a Number [0]: "))
if id < len(result):
break
else:
logging.warning("Invalid ID")
except ValueError:
break
return result[id]
def base(self):
(key, pair) = self.__search()
if key == 0:
return 0
return self.funcaddr - pair[0]
def system_offset(self):
(key, pair) = self.__search()
if key == 0:
return 0
for one in self.all[key]:
if one[1] == "system":
return one[0]
def system_address(self):
(key, pair) = self.__search()
if key == 0:
return 0
for one in self.all[key]:
if one[1] == "system":
return self.funcaddr - pair[0] + one[0]
def offset_by_name(self, func):
(key, pair) = self.__search()
if key == 0:
return 0
for one in self.all[key]:
if one[1] == func:
return one[0]
def address_by_name(self, func):
(key, pair) = self.__search()
if key == 0:
return 0
for one in self.all[key]:
if one[1] == func:
return self.funcaddr - pair[0] + one[0]
def info(self):
(key, pair) = self.__search()
return key
def listall(self):
print "All available libc database : "
i = 0
for k, v in self.all.items():
i += 1
print str(i) + ":\t" + k
if __name__ == "__main__" :
obj = libc("fgets", "7ff39014bd90")
print "[+]system address: ", hex(obj.system_address())
print "[+]libc info : ", obj.info()
obj.listall()