This simple shell script is based patchelf and glibc-all-in-one . So , using patchpwn , you need to ensure that you have install them and they are in normal use .
Before specifying the libc version , you should download the libc via glibc-all-in-one, then edit this shell script and replace the LIBC_DIR variable to adapt your local environment.After patching the binary ,it will generate a new binary file with the _patched
suffix and no change to the original binary file.
LIBC_DIR="/home/giles/tools/glibc-all-in-one/"
# LIBC_DIR="/dir/to/your/glibc-all-in-one/"
After gitiing this project , add this to $PATH should be better.
giles@ubuntu:~/topatchelf $ chmod +x ./patchpwn
giles@ubuntu:~/topatchelf $ sudo cp ./patchpwn /bin/
Currently,there are two patterns to specify the libc version.
giles@ubuntu:~ $ patchpwn ubuntu18 ./pwn
giles@ubuntu:~ $ ldd ./pwn
linux-vdso.so.1 (0x00007ffee81fb000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbd2347c000)
/lib64/ld-linux-x86-64.so.2 (0x00007fbd23688000)
giles@ubuntu:~ $ ldd ./pwn_patched
linux-vdso.so.1 (0x00007ffe429d0000)
/home/giles/tools/glibc-all-in-one/libs/2.27-3ubuntu1.2_amd64/libc.so.6 (0x00007fc4f07ad000)
/home/giles/tools/glibc-all-in-one/libs/2.27-3ubuntu1.2_amd64/ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007fc4f0ba7000)
As you can see, the default patch aims at x86 libc. And you can add the suffix 32
to specify i386 version.
giles@ubuntu:~ $ patchpwn ubuntu18 ./pwn32 32
giles@ubuntu:~ $ ls
pwn pwn32 pwn32_patched pwn_patched test.c
Unfortunately, only ubuntu16,ubuntu18,ubuntu20 are currently supported.
And also you change the default version of every supportive os in this shell script.
# the default is x86 glibc
DEFAULT_ubuntu16_04="2.23-0ubuntu11.3_amd64"
DEFAULT_ubuntu18_04="2.27-3ubuntu1.2_amd64"
DEFAULT_ubuntu20_04="2.31-0ubuntu9.2_amd64"
DEFAULT_ubuntu16_32="2.23-0ubuntu11.3_i386"
DEFAULT_ubuntu18_32="2.27-3ubuntu1.2_i386"
DEFAULT_ubuntu20_32="2.31-0ubuntu9.2_i386"
giles@ubuntu:~ $ patchpwn --help
...
Your Libc:
[+] 2.23-0ubuntu11.3_amd64
[+] 2.23-0ubuntu11.3_i386
[+] 2.23-0ubuntu3_amd64
[+] 2.23-0ubuntu3_i386
[+] 2.24-3ubuntu2.2_amd64
[+] 2.27-3ubuntu1.2_amd64
[+] 2.27-3ubuntu1.2_i386
[+] 2.27-3ubuntu1_amd64
[+] 2.27-3ubuntu1_i386
[+] 2.31-0ubuntu9.2_amd64
[+] 2.31-0ubuntu9.2_i386
giles@ubuntu:~ $ patchpwn 2.27-3ubuntu1_amd64 ./pwn
giles@ubuntu:~ $ ldd pwn_patched
linux-vdso.so.1 (0x00007fffbd9fe000)
/home/giles/tools/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc.so.6 (0x00007f58a7c85000)
/home/giles/tools/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007f58a807f000)
The parameter --help
help you inspect the available libc in the directory /dir/to/your/glibc-all-in-one/libs/
. Also you can download more libc via glibc-all-in-one
giles@ubuntu:~/Desktop/GreentownNote/attachment $ strings libc-2.27.so | grep "GNU"
GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.
Compiled by GNU CC version 7.3.0.
giles@ubuntu:~/Desktop/GreentownNote/attachment $ patchpwn
...
Your Libc:
[+] 2.23-0ubuntu11.3_amd64
[+] 2.23-0ubuntu11.3_i386
[+] 2.23-0ubuntu3_amd64
[+] 2.23-0ubuntu3_i386
[+] 2.27-3ubuntu1.2_amd64
[+] 2.27-3ubuntu1.2_i386
[+] 2.27-3ubuntu1_amd64
[+] 2.27-3ubuntu1_i386
giles@ubuntu:~/Desktop/GreentownNote/attachment $ patchpwn 2.27-3ubuntu1_amd64 ./GreentownNote
giles@ubuntu:~/Desktop/GreentownNote/attachment $ python exp.py
It can help to attack exit_hook(hook in ld),and crack remote libc.