Libc Version
Closed this issue · 6 comments
In TAMUctf pwn4 writeup you haven't mentioned the way to find to libc version which was in the remote server.
Can You Brief how you got the version detail as 'libc6_2.23-0ubuntu3_i386?so'
Sorry for the late response. We did mention it in the screenshot of the code. We leak the remote libc by using the got address. The got address contains the libc address of that got function. U will get some hex, everytime u run the payload and it will always change because of ASLR. But the last 3 digits wont change, we used that last 3 digits to leak libc in https://libc.blukat.me. BTW, instead of ret2libc, pwn4 has other vulnerability that can easily spawn shell just by using command injection like ';sh'
Oh yea, to leak the libc remotely in 32 bit we always use this payload's skeleton padding + print/puts@plt + next address+ any@got
All you write are awesome!! I have only one doubt! BTW I still don't understand how you specifically chose this one 'libc6_2.23-0ubuntu3_i386.so' as a shared library which was in the remote server. May I know just with 3 lower byte hex can we know its libc version?
I got 'libc6_2.23-0ubuntu3_i386.so' just by leaking the last 3 digits of the hex from https://libc.blukat.me, all i did is leak the libc in gets@got. As you can see, the last 3 digits wont change so we could leak it from https://libc.blukat.me just like this , you see there is only 1 libc version so i decide to use that version of libc :D
Thank You So Much!! : )
You're welcome ! feel free to ask me more :D