1

I'm trying to run an executable using pwntools using a different version of libc than the one I installed locally. Is there any way I can do that? I tried this way, but it doesn't seem to work.

I will attach a picture with the script and also with what error I got. enter image description here

 io = process(BIN, env={"LD_PRELOAD": "./libc.so.6"})

I am running this on Ubuntu 20.04 using python 3.8.

Mocanu Gabriel
  • 490
  • 5
  • 19
  • **What does "doesn't work" mean?** What happened when you tried it? Did you get an error message? If you did get an error, paste the entire message instead of paraphrasing. Did you get incorrect results? Did you get *no* results?  If the results were incorrect, what made them incorrect? What were you expecting instead? Did you get *any* correct results?  If so, what were they? Don't make us guess. – Andy Lester Dec 13 '21 at 22:54
  • Hi Andy, I added the error message and also the pwn script. Excuse me for not mentioning them from the beginning. – Mocanu Gabriel Dec 13 '21 at 23:18
  • 1
    I don't know if this help https://fibonhack.github.io/resources/pwn – Zeltrax Dec 14 '21 at 07:46
  • Yes, this article is great! Thanks! – Mocanu Gabriel Dec 14 '21 at 12:24
  • When you're asking for help, please don't post screenshots or photographs. Cut & paste the text directly into the message. Why? 1. It's easier for people to read it. 2. It allows those reading it to cut & paste the text, making it easier to work on solving your problem. 3. It makes it searchable, so that someone can find this thread when Googling for information in the future. 4. A screen reader can't read a picture which limits access to some in our community. – Andy Lester Dec 14 '21 at 14:05

1 Answers1

0

Here is a method that require 2 files, the LibC and the associated linker (ld). Here is an example with a 2.23 LibC.

You might be interested by pwninit to download the linker(ld) associated to your LibC.

Run in command line :

Then, run the linker with the challenge binary as an argument and use the LD_PRELOAD environment variable to specify the LibC that should be loaded.

$ LD_PRELOAD=/path/to/libc-2.23.so ./ld-2.23.so ./chall

Pwntools

With pwntools you can do the following:

#!/usr/bin/env python3

from pwn import *

context.binary = bin = ELF("./chall")
libc = ELF("./libc-2.23.so")
ld = ELF("./ld-2.23.so")

io = process([ld.path, bin.path], env={"LD_PRELOAD": libc.path})

Pwntools template

If you use the pwn template command to generate an exploit skeleton. You can do these change to the start function to use a custom LibC.

ld = ELF('./ld-2.23.so')
libc = ELF('./libc-2.23.so')

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.GDB:
        return gdb.debug([ld.path, exe.path] + argv, gdbscript=gdbscript, *a, **kw, env={"LD_PRELOAD":libc.path})
    else:
        return process([ld.path, exe.path] + argv, *a, **kw, env={"LD_PRELOAD":libc.path})
Olivier Lasne
  • 679
  • 6
  • 12
  • This is mostly based on this anwser : https://security.stackexchange.com/questions/238631/ctf-setup-for-debugging-heap-exploits – Olivier Lasne Apr 20 '23 at 16:59