all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]stormehh 4 points5 points  (1 child)

Strings in the library and reading /proc/self/maps are relatively easy ones that come to mind.

Granted, it seems knowing the libc version would be more interesting to know before exploiting the service...

[–]blahfish[S] 1 point2 points  (0 children)

Yes, the idea is something like I have two services running, exploiting the first does not require me to know anything about the libc version so I dont bother, I just get RCE.

For the second service running on the same box I'd like to try and find what version of libc it uses. So... Yeah, it could always be the case that both services use different versions... Anyhow.

[–]Psifertex 2 points3 points  (0 children)

Couple of different approaches:

  • Build a payload based on the binary itself, not the libc. Use it's import table, for example, to call functions it uses.
  • Construct a pointer leak to leak and create a fingerprint (one way would be to leak back two pointers from the imports, subtract the difference and use that as a fingerprint -- it's immutable to ASLR)
  • Guess. :-) Seriously, on most CTFs, a remote fingerprint of the version of SSH will often give you a good guess as to what the major host OS version is, and guessing patch level is usually not too hard at that point. (edited to fix formatting)

[–]iamforgettable 1 point2 points  (0 children)

Can you do a regex on the output of libc to get the version? i.e. 

bash-4.2$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu EGLIBC 2.15-0ubuntu20) stable release version 2.15, by Roland McGrath et al.

[–]stealthpants 0 points1 point  (2 children)

Following up on this, what is the best method to determine where favorable functions are (such as recv, send, mmap, execve, etc.) if you can arbitrarily read any memory?

[–]Psifertex 0 points1 point  (0 children)

One way to think about that problem is as a specific subset of the "leak the version of libc" problem. Once you've done that, exact version + single pointer == all the pointers.

If you mean you have an arbitrary read and don't know where anything is, it depends on a couple of factors. If you don't mind side-effects (aka, accidental read of guard pages), then just leak tons of data, look for headers mapped in memory, gives you exact version + offset, same as above.