Last active
August 4, 2022 13:51
-
-
Save tachibana51/a89a748eaebc8b080eb0b46c35233e0d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # for ctf | |
| # 配られたlibcが手元に無くても無理やりバイナリを動かすことが出来るようにパッチを行う | |
| # | |
| # | |
| if [ $# -eq 0 ]; then | |
| echo "usage: $0 [ubuntu-version] [glibc-version] elf-file" | |
| exit 1 | |
| fi | |
| #get debug symbol and interpreter | |
| sudo docker pull ubuntu:$1 | |
| sudo docker run --name tmp$1 -i -t ubuntu:$1 bash -c "apt update && apt install libc6-dbg" | |
| sudo docker cp tmp$1:/lib/x86_64-linux-gnu/ld-$2.so . | |
| sudo docker cp tmp$1:/lib/x86_64-linux-gnu/libc-$2.so "libc.so.6" | |
| mkdir ".debug" | |
| sudo docker cp tmp$1:/usr/lib/debug/lib/x86_64-linux-gnu/libc-$2.so ".debug/libc.so.6" | |
| mkdir -p .debug/lib/x86_64-linux-gnu/ | |
| sudo docker cp tmp$1:/usr/lib/debug/lib/x86_64-linux-gnu/ld-$2.so ".debug/ld-$2.so" | |
| sudo docker rm tmp$1 | |
| #patchelf | |
| patchelf --set-interpreter `pwd`/ld-$2.so $3 | |
| patchelf --replace-needed libc.so.6 "`pwd`/libc.so.6" $3 | |
| patchelf --set-rpath `pwd` $3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import gdb | |
| import subprocess | |
| class loadsym(gdb.Command): | |
| """ | |
| load symbol file to glibc | |
| Usage: loadsym {symbol file} | |
| Example: | |
| (gdb) loadsym '/path/to/usr/lib/debug/lib/x86_64-linux-gnu/libc-2.27.so' | |
| """ | |
| def __init__(self): | |
| ''' | |
| register command in constructer function | |
| ''' | |
| super(self.__class__, self).__init__("loadsym", gdb.COMMAND_USER) | |
| def invoke(self, args, from_tty): | |
| ''' | |
| in invoke method, we add command's features | |
| ''' | |
| # using string_to_argv to convert args to list | |
| argv = gdb.string_to_argv(args) | |
| #if len(argv) != 1: | |
| # raise gdb.GdbError( | |
| # 'Fail to execute command, use "help loadsym" for help') | |
| print('[*] symbol file path: {}'.format(".debug/libc.so.6")) | |
| # traverse objfiles to find libc | |
| #gdb.execute("set debug-file-directory "+subprocess.check_output(["pwd"]).decode()+"/.debug") | |
| for i in gdb.objfiles(): | |
| if 'libc' in i.filename: | |
| self.add_debug_file(i, ".debug/libc.so.6") | |
| return | |
| print('[-] fail to find libc!') | |
| def add_debug_file(self, objfile, debugfile_path): | |
| ''' | |
| add debug file and check debug file's status | |
| ''' | |
| objfile.add_separate_debug_file(debugfile_path) | |
| # check symbol file is loading | |
| if gdb.lookup_symbol('main_arena') == None: | |
| print('[-] load debug file fail!') | |
| return False | |
| else: | |
| print('[+] load debug file success!') | |
| return True | |
| if __name__ == "__main__": | |
| loadsym() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment