ef4tless / xclibc Goto Github PK

View Code? Open in Web Editor NEW

49.0 2.0 3.0 154 KB

A tool to change the libc environment of running files(一个在CTF比赛中用于切换题目运行libc环境的工具)

Shell 100.00%

ctf pwn libc

xclibc's Introduction

xclibc

一个在CTF比赛中用于切换题目运行libc环境的工具，支持目前所有版本

安装

这个脚本是基于最新版的glibc-all-in-one，我建议你将其安装到~目录

git clone https://github.com/matrix1001/glibc-all-in-one
cd glibc-all-in-one
./update_list

xclibc脚本配置

git clone https://github.com/ef4tless/xclibc.git
cd xclibc
sudo rm /usr/local/bin/xclibc
sudo mv ./xclibc /usr/local/bin
sudo chmod +x /usr/local/bin/xclibc

使用

快速上手

xclibc [选项] [参数]
-s 查看libc文件的版本
-x 和 -c 是配置版本的主要功能
e.g.
➜  ~ xclibc -x ./main ./libc.so.6  读取版本自动配置

➜  ~ xclibc -c ./main 2.35
/home/ef4tless/glibc-all-in-one/libs/2.35-0ubuntu3_amd64
/home/ef4tless/glibc-all-in-one/libs/2.35-0ubuntu3.3_i386
/home/ef4tless/glibc-all-in-one/libs/2.35-0ubuntu3.3_amd64
/home/ef4tless/glibc-all-in-one/libs/2.35-0ubuntu3_i386
/home/ef4tless/glibc-all-in-one/libs/2.35-0ubuntu3.1_i386
/home/ef4tless/glibc-all-in-one/libs/2.35-0ubuntu3.1_amd64
Please specify the directory
➜  ~ xclibc -c ./main 2.35 /home/ef4tless/glibc-all-in-one/libs/2.35-0ubuntu3.1_i386

-r 可以恢复原本的题目状态
➜  ~ xclibc -r ./main
[+]restore!

-d 主要是 glibc-all-in-one 的libc库管理
➜  ~ xclibc -d
[+]Select the version you want to download
Blue is downloadable Green is already downloaded

2.17-93ubuntu4_amd64    2.19-0ubuntu3_i386      2.19-0ubuntu6.4_amd64  ......
➜  ~ xclibc -d  2.19-0ubuntu6.4_amd64

详细参数

xclibc [选项] [参数]
-s [libc文件] # 查看libc文件版本
-x [-n] [文件] [libc文件] # 一键给文件配置libc文件相应版本的环境（添加-n选项可以使用修改--replace-needed的方式实现）
-c [-n] [文件] [libc大版本号] [libc小版本环境路径] # 给文件配置指定的libc环境，输入大版本号后回车，可自由选择复制libc小版本环境路径（添加-n选项可以使用修改--replace-needed的方式实现）
-d <-r/-u> [version]
#  -d [ENTER] 可以查看所有可下载的libc版本
#  -d -r [version] 删除相应的libc版本库
#  -d -u 更新最新的所有libc版本
#  -d [version] 下载对应版本的libc
-e [deb包] # 解压相应的libc_deb包至glibc_all_in_one路径，通常一个版本需要解压一份本体deb和一份debug_deb包
-r [文件] # 恢复修改过的文件至初始状态
-h # 展示帮助提示
-v # 显示版本号

添加libc版本

可以在脚本头部数组中添加新的版本和下载链接，一个libc版本需要一份本体和debug版本，2份下载链接 e.g.libc6_2.31-0ubuntu1_amd64.deb 和 libc6-dbg_2.31-0ubuntu1_amd64.deb

更新

v1.6: 修复了在下载2.39版本时获取不到debug信息的问题

v1.5: 修复了xclibc -x -n时出现的bug

v1.3: 更新了代码逻辑修复了一些bug，简化了操作，删除了-e功能，将下载所有的libc版本集成到了-d -u命令中

v1.0: 增加了旧的下架版本的匹配，现在-x功能能匹配更多的版本了，完善了-d libc包管理功能，优化了部分逻辑处理方式

v0.9: 添加了-d下载libc版本库的功能，修复了2.31-0ubuntu9.10_amd64/i386不能加载的问题

v0.7: 修复了一个bug，该bug曾导致2.31-0ubuntu9.9_amd64/i386 版本在加载后不能正常debug

v0.5: 重定义了选项命令

v0.3: 添加了解压deb包的功能

警告

这个脚本在patch过程中将会删除/usr/lib/debug/.build/，如果你介意这一点，请先备份本机文件。

最后

如果你在使用脚本中遇到任何的问题，请尽快联系我。

感谢cnitlrt师傅最初的脚本思路。

xclibc's People

Contributors

Stargazers

Watchers

Forkers

covteam xia0le phoenix0006

xclibc's Issues

Libc not in glibc-all-in-one can not be patched to a version nearby

情况简介

pwn题目录下如下

$ ls
exp_heap1.py  hacknote  libc_32.so.6

libc版本2.23，32位

$ file libc_32.so.6 
libc_32.so.6: ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=d26149b8dc15c0c3ea8a5316583757f69b39e037, for GNU/Linux 2.6.32, stripped
$ ./libc_32.so.6 
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu5) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.4.0 20160609.
Available extensions:
	crypt add-on version 2.1 by Michael Glad and others
	GNU Libidn by Simon Josefsson
	Native POSIX Threads Library by Ulrich Drepper et al
	BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.

问题

如下执行命令尝试更换程序libc，失败

$ xclibc -x hacknote  libc_32.so.6 
Getting 2.23-0ubuntu5_i386
  -> Location: https://mirror.tuna.tsinghua.edu.cn/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu5_i386.deb
  -> Downloading libc binary package
Getting 2.23-0ubuntu5_i386
  -> Location: http://old-releases.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu5_i386.deb
  -> Downloading libc binary package
Failed to download package from http://old-releases.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu5_i386.deb

并没有libc6_2.23-0ubuntu5_i386.deb这个包，而是 libc6_2.23-0ubuntu11.3_amd64.deb 或者libc6_2.23-0ubuntu3_amd64.deb

建议解决方案

建议增加临近版本匹配功能

Incomplete libc packages and directories available in option entries

问题

在 ~/glibc-all-in-one/libs 目录下部分libc版本文件缺失，例如

2.23-0ubuntu7_amd64 下没有任何文件
2.23-0ubuntu6_amd64 下目录 .debug 为空

但是在xclibc选项中还可以看到以上选项

编写如下bash脚本以检测缺失哪些文件库和调试文件

#!/bin/bash

# Check if a directory is provided
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <directory>"
    exit 1
fi

START_DIR="$1"

# Traverse directories and check for your conditions
find "$START_DIR" -maxdepth 1 -type d | while read dir; do
    # Check if the directory contains any non-hidden files
    if [ -z "$(find "$dir" -maxdepth 1 -type f ! -name '.*')" ]; then
        echo "Directory without files (excluding hidden ones): $dir"
    fi

    # Check for .debug directory
    if [ ! -d "$dir/.debug" ]; then
        echo "Missing .debug directory: $dir/.debug"
    else
        # Check if .debug directory contains files
        if [ -z "$(find "$dir/.debug" -type f ! -name '.*')" ]; then
            echo ".debug directory without files (excluding hidden ones): $dir/.debug"
        fi
    fi
    
done

在个人环境下的运行结果如下

~/glibc-all-in-one/libs$ ./checkout.sh .
Missing .debug directory: ./.debug
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu3_i386/.debug
Directory without files (excluding hidden ones): ./2.23-0ubuntu11_i386
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.8_amd64/.debug
Directory without files (excluding hidden ones): ./2.27-0ubuntu2_amd64
Directory without files (excluding hidden ones): ./2.31-0ubuntu2_i386
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.6_i386/.debug
Directory without files (excluding hidden ones): ./2.31-0ubuntu1_amd64
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.9_amd64/.debug
Directory without files (excluding hidden ones): ./2.23-0ubuntu11.2_i386
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.4_amd64/.debug
Directory without files (excluding hidden ones): ./2.18-0ubuntu1_i386
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu5_amd64/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.9_i386
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu5_i386/.debug
Directory without files (excluding hidden ones): ./2.18-0ubuntu5_amd64
Directory without files (excluding hidden ones): ./2.19-0ubuntu1_i386
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu5_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.23-0ubuntu2_i386/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.10_i386
Directory without files (excluding hidden ones): ./2.31-0ubuntu4_amd64
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu5_i386/.debug
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.7_i386/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu1_amd64
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.2_i386/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.1_amd64
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.2_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.21-0ubuntu6_amd64/.debug
Directory without files (excluding hidden ones): ./2.18-0ubuntu4_amd64
.debug directory without files (excluding hidden ones): ./2.26-0ubuntu4_i386/.debug
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu2_amd64/.debug
Directory without files (excluding hidden ones): ./2.31-0ubuntu7_i386
.debug directory without files (excluding hidden ones): ./2.26-0ubuntu3_i386/.debug
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu2_i386/.debug
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.13_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu7_amd64/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.13_i386
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.8_i386
Directory without files (excluding hidden ones): ./2.27-3ubuntu1.4_i386
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.15_i386/.debug
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.3_amd64/.debug
Directory without files (excluding hidden ones): ./2.31-0ubuntu9.2_i386
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.3_i386/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6_i386
Directory without files (excluding hidden ones): ./2.23-0ubuntu7_amd64
Directory without files (excluding hidden ones): ./2.19-0ubuntu4_amd64
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.5_amd64
.debug directory without files (excluding hidden ones): ./2.23-0ubuntu11.2_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu9.1_amd64/.debug
Directory without files (excluding hidden ones): ./2.31-0ubuntu8_i386
.debug directory without files (excluding hidden ones): ./2.17-93ubuntu4_i386/.debug
Directory without files (excluding hidden ones): ./2.31-0ubuntu3_amd64
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu3_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu2_amd64/.debug
Directory without files (excluding hidden ones): ./2.17-93ubuntu4_amd64
.debug directory without files (excluding hidden ones): ./2.27-3ubuntu1.3_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.18-0ubuntu1_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.18-0ubuntu7_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.11_i386/.debug
.debug directory without files (excluding hidden ones): ./2.23-0ubuntu6_amd64/.debug
Directory without files (excluding hidden ones): ./2.23-0ubuntu9_amd64
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu6_amd64/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.14_amd64
.debug directory without files (excluding hidden ones): ./2.23-0ubuntu4_i386/.debug
Directory without files (excluding hidden ones): ./2.18-0ubuntu2_amd64
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu6_i386/.debug
.debug directory without files (excluding hidden ones): ./2.30-0ubuntu3_i386/.debug
Directory without files (excluding hidden ones): ./2.27-0ubuntu3_i386
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu3_i386/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.6_amd64
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.15_amd64/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.7_amd64
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu9.2_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.23-0ubuntu9_i386/.debug
.debug directory without files (excluding hidden ones): ./2.27-0ubuntu2_i386/.debug
Directory without files (excluding hidden ones): ./2.27-3ubuntu1.3_i386
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu9.1_i386/.debug
Directory without files (excluding hidden ones): ./2.18-0ubuntu6_i386
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.5_i386
Directory without files (excluding hidden ones): ./2.23-0ubuntu10_amd64
Directory without files (excluding hidden ones): ./2.31-0ubuntu9.3_amd64
.debug directory without files (excluding hidden ones): ./2.26-0ubuntu3_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.18-0ubuntu3_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.21-0ubuntu6_i386/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6_amd64
.debug directory without files (excluding hidden ones): ./2.23-0ubuntu2_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.27-3ubuntu1.2_amd64/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.1_i386
.debug directory without files (excluding hidden ones): ./2.30-0ubuntu3_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.27-3ubuntu1.2_i386/.debug
Directory without files (excluding hidden ones): ./2.31-0ubuntu1_i386
Directory without files (excluding hidden ones): ./2.23-0ubuntu1_i386
.debug directory without files (excluding hidden ones): ./2.27-3ubuntu1.4_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu9.3_i386/.debug
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.14_i386
.debug directory without files (excluding hidden ones): ./2.27-0ubuntu3_amd64/.debug
Directory without files (excluding hidden ones): ./2.21-0ubuntu5_amd64
.debug directory without files (excluding hidden ones): ./2.18-0ubuntu6_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.23-0ubuntu5_amd64/.debug
Directory without files (excluding hidden ones): ./2.23-0ubuntu10_i386
Directory without files (excluding hidden ones): ./2.19-0ubuntu4_i386
Directory without files (excluding hidden ones): ./2.31-0ubuntu4_i386
Directory without files (excluding hidden ones): ./2.18-0ubuntu7_i386
Directory without files (excluding hidden ones): ./2.23-0ubuntu7_i386
Directory without files (excluding hidden ones): ./2.19-0ubuntu6.4_i386
Directory without files (excluding hidden ones): ./2.26-0ubuntu4_amd64
.debug directory without files (excluding hidden ones): ./2.18-0ubuntu3_i386/.debug
.debug directory without files (excluding hidden ones): ./2.23-0ubuntu5_i386/.debug
.debug directory without files (excluding hidden ones): ./2.18-0ubuntu5_i386/.debug
.debug directory without files (excluding hidden ones): ./2.18-0ubuntu2_i386/.debug
.debug directory without files (excluding hidden ones): ./2.31-0ubuntu8_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.10_amd64/.debug
Directory without files (excluding hidden ones): ./2.23-0ubuntu6_i386
Directory without files (excluding hidden ones): ./2.21-0ubuntu5_i386
.debug directory without files (excluding hidden ones): ./2.18-0ubuntu4_i386/.debug
.debug directory without files (excluding hidden ones): ./2.19-0ubuntu6.11_amd64/.debug
.debug directory without files (excluding hidden ones): ./2.23-0ubuntu4_amd64/.debug

建议解决方案

各个版本的libc库无非由原libc文件和调试用libc文件组成：

如果两者都没有，则从选项中删除
如果有前者没有后者，可以不做处理，但建议在选项中标出
如果没有前者有后者，建议将后者直接拷贝至前者
如果两者都有，则不处理

实现可以有以下三种方式，任选一种：

对libc单独维护其完整性信息，写入文件；编码成本中等，但有可能不小心对文件误操作会导致不统一问题，风险高
对目录做出标记(如在目录中写入隐藏文件，目录名做标记等等)，最建议，编码成本小、改动小并且回显快
运行程序实时检测各库的存在性；风险低，但是回显慢

Unreliable link speed may cause wget fail to download some of deb packages

情况简介

一部分libc版本的Libc包或者libc-dbg包疑似没有下载成功，导致出现空目录现象

以下是我在使用时碰到的示例(实际下载过程的log没有保存)：

~/glibc-all-in-one/libs/2.23-0ubuntu11_amd64/.debug$ ls
libanl-2.23.so           libdl-2.23.so            libnss_dns-2.23.so       libresolv-2.23.so
libBrokenLocale-2.23.so  libm-2.23.so             libnss_files-2.23.so     librt-2.23.so
libc-2.23.so             libmemusage.so           libnss_hesiod-2.23.so    libSegFault.so
libcidn-2.23.so          libmvec-2.23.so          libnss_nis-2.23.so       libthread_db-1.0.so
libcrypt-2.23.so         libnsl-2.23.so           libnss_nisplus-2.23.so   libutil-2.23.so
libc.so.6                libnss_compat-2.23.so    libpcprofile.so
~/glibc-all-in-one/libs/2.23-0ubuntu11_amd64/.debug$ cd ..
~/glibc-all-in-one/libs/2.23-0ubuntu11_amd64$ ls
~/glibc-all-in-one/libs/2.23-0ubuntu11_amd64$

注意以上libc虽然debug库内有文件，但是libc库没有任何文件，而且因为程序是进行的目录存在性检测，需要删除该目录重新下载才有效

~/glibc-all-in-one/libs/2.23-0ubuntu11_amd64$ xclibc -d -r  2.23-0ubuntu11_amd64
[+]Successfully deleted 2.23-0ubuntu11_amd64
cp: invalid option -- '.'                                          <------------------------------------- 这里貌似也有bug，调用了RECORD函数
Try 'cp --help' for more information.
[+]restore!
~/glibc-all-in-one/libs/2.23-0ubuntu11_amd64$ xclibc -d   2.23-0ubuntu11_amd64

问题和建议解决方案

wget 问题

疑似因为下载速度过慢导致部分包被wget中断现象，建议加入支持断线重连选项，如 -c 等

以下是GPT4关于wget下载冗余处理的相关选项

Q:how to make wget download completely(when downloading process halted, trying to reconnect and download until files downloaded completely)?

A:If you're trying to make wget resilient to interruptions and want it to keep trying to download a file until it's complete, you can utilize several of its options:

--retry-connrefused: Retry if the connection is refused.

--waitretry=seconds: Wait the specified number of seconds between retries.

--timeout=seconds: Set the network timeout.

--tries=number: Set the number of retries.

-c or --continue: Resume getting a partially-downloaded file.

Here's an example that wraps these options together:


wget --retry-connrefused --waitretry=5 --read-timeout=20 --timeout=15 -t 0 -c [URL]


Here's a breakdown of the command:

--retry-connrefused: Even if the connection is refused, wget will keep trying.

--waitretry=5: wget will wait 5 seconds before the next retry.

--read-timeout=20: Set the read timeout to 20 seconds. If no data is received for more than this specified time, wget will retry.

--timeout=15: The network timeout is set to 15 seconds. If the server does not respond within this time, wget will retry.

-t 0: This tells wget to keep retrying indefinitely.

-c: If the download is interrupted, running this command again will resume from where it left off.

For very unreliable connections, you might need to adjust the retry and timeout values to be more lenient. You can also use -T as a shorthand for --timeout.

Keep in mind that this setup will have wget trying indefinitely, which might not be suitable in all scenarios. Adjust the -t option or remove it entirely if you want a finite number of retries.

log问题

由于没有目前没有简易的手段检测各个库是否下载完全，建议以下两种选择，选择其中一种即可：

在批量下载时进行log(校验deb文件hash或者在stderr输出错误信息打log)
编写脚本使得对各个目录进行完整性检测(或者文件存在的检测)，列出不完整目录

在此基础上，支持对于未下载或者漏下载的deb包进行批量下载，或者让用户一一下载未成功包

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.