Support for libc databases with offsets using https://libc.rip/api/

[zglozman]

Thanks for contributing to Pwntools! Ideas from the community help make Pwntools an amazing tool for everybody.

If you've got an idea for a new feature, please provide information about:

• What the feature does
  takes a leaked offset and find the correct libc binary and downloads it, then returns and ELF object with that file.

• Why the feature should exist
  To (1) create an abstraction allowing using the same exploit locally with one version of libc and remote with another version of LIBC

• What tests should be included

If you think you can write the feature yourself, please submit a Pull Request and we can review your changes!
IF nobody is working on that i will be glad to try go build it.

[Arusekk]

I thought #1704 does that already, see https://docs.pwntools.com/en/latest/libcdb.html
(it looks up by build ID, not offsets, but it works for most cases). Please close if it works for you, or submit a PR if you have more ideas.

[zglozman]

nope, I am talking of a different use case. Let's say I can leak actual addresses of some libc functions and now want to search by offsets and download the correct libs to build my rop chain. I will propose a PR.

[Arusekk]

Any updates on this?

[synap5e]

Here's what I used to solve the same scenario if it's any use to anyone finding this issue.

leak is a printf("%<n>$sAAAA<address>") primitive that can be used repeatedly.
This assumes that cost(leak) > cost(libc.rip lookup).

If you were using e.g. a ROP that writes GOT entries you wouldnt need the loop and could dump a bunch of known_symbols at once and make a single request to libc.rip.

log.info('Leaking GOT symbols addresses until libc is known')
libc_db_data = None
known_symbols = {}
prev = None
for f in elf.got:
    if f in ['_ITM_deregisterTMCloneTable', '__gmon_start__', '_ITM_registerTMCloneTable', 'stdout', 'stdin']:
        # ignore - address is likely 0
        continue

    address = u64(leak(elf.got[f]).ljust(8, b'\x00'))
    log.info(f'\t{f.ljust(24)}: 0x{address:016x}')

    if address:
        known_symbols[f] = address
        r = requests.post(
            'https://libc.rip/api/find', 
            json={
                'symbols': {
                    s: hex(a) for s, a in known_symbols.items()
                }
            }
        )
        r.raise_for_status()
        found_libcs = r.json()
        if not found_libcs:
            log.warning('\tCould not find libc in libc.rip database - ignoring symbol')
            del known_symbols[f]
            continue
        elif len(found_libcs) == 1:
            libc_db_data = found_libcs[0]
            break
        else:
            log.info(f'{len(found_libcs)} matching libcs found in libc.rip database')
            if len(found_libcs) == prev:
                # Note: could be more forgiving than failing after the first symbol that fails to refine the list
                log.info('Giving up on resolving and using first')
                libc_db_data = found_libcs[0]
                break
            prev = len(found_libcs)


log.info(f'Found singular matching libc:\n{pformat(libc_db_data)}')
libc_elf_path = libc_db_data['id']
try:
    libc = ELF(libc_elf_path)
except:
    download(libc_db_data['download_url'], libc_elf_path)
    libc = ELF(libc_elf_path)

[Arusekk]

Partially addressed by #1828