2

If I have a libc file which is used on another server where the vulnerable binary is running, then how can I find the address of system in it?

I have both the vulnerable binary and the libc file with me.

Usually, on local system, I would use gdb to find system() address. But when I execute binary from on my system, it will be using libc from my system.

So, how can I make sure that the address I find using gdb is of the libc from another server and not on my local system?

Should I place the libc file (from another server) in the same directory as the binary so that it is loaded by default when it's executed instead of the libc of local system?

Thanks.

Neon Flash
  • 929
  • 2
  • 11
  • 17
  • See also [return to libc- finding libc's address and finding offsets](https://security.stackexchange.com/questions/168101/return-to-libc-finding-libcs-address-and-finding-offsets) – Sjoerd Dec 06 '18 at 08:01
  • You can make the binary use a custom libc using `LD_PRELOAD`. – game0ver Dec 06 '18 at 08:23

1 Answers1

1

try leaking 2 libc addresses and matching their difference with a libc database on the internet. This will give you the libc version used. After that you can find the offset of system in this libc with pwntools by: libc=ELF("/path/to/libc")
libc_system=libc.symbols["system"]

Arav Garg
  • 31
  • 1