├── .gdb_history
├── .gitignore
├── README.md
├── build
├── clibc
├── download
├── download_old
├── extract
├── get_env.py
├── pwn_printf
└── update_list


/.gdb_history:
--------------------------------------------------------------------------------
1 | start
2 | vmmap
3 | q
4 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | libs
2 | debs
3 | srcs
4 | list
5 | old_list
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## 说明
 2 | 
 3 | 修改二进制文件依赖libc的版本
 4 | 
 5 | 原本项目地址
 6 | [https://github.com/matrix1001/glibc-all-in-one](https://github.com/matrix1001/glibc-all-in-one)
 7 | 
 8 | 在原项目的基础上进行了修改
 9 | 
10 | ## 运行
11 | 
12 | ``` bash
13 | python get_env.py  #这一步是安装需要的所有libc文件
14 | sudo ln -s <clibc的绝对路径> /usr/bin/clibc  #到项目文件夹里面去复制clibc，这一步可以把clibc变成全局命令
15 | ```
16 | 
17 | 修改二进制文件的依赖库
18 | 
19 | ``` bash
20 | clibc pwn_printf 2.23   #pwn_printf是例子程序
21 | ```
22 | 
23 | ## 运行结果
24 | 修改过的二进制文件（左）和原始二进制文件（右）没什么区别
25 | 
26 | ![结果](https://raw.githubusercontent.com/tower111/picture/main/小书匠/1606831396379.png)
27 | 
28 | 
29 | 


--------------------------------------------------------------------------------
/build:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | cd "$(dirname "$0")"
  3 | 
  4 | SOURCE="http://mirrors.ustc.edu.cn/gnu/libc"
  5 | GLIBC_DIR="/glibc"
  6 | 
  7 | 
  8 | 
  9 | if [ ! -d "srcs" ]; then
 10 |     mkdir srcs
 11 | fi
 12 | 
 13 | if [ ! -d $GLIBC_DIR ]; then
 14 |     mkdir $GLIBC_DIR
 15 | fi
 16 | 
 17 | 
 18 | 
 19 | die() {
 20 |   echo >&2 $1
 21 |   exit 1
 22 | }
 23 | 
 24 | usage() {
 25 |   echo -e >&2 "Usage: $0 version arch\nSupported version:2.19, 2.23-2.29\nSupported arch: i686, amd64"
 26 |   exit 2
 27 | }
 28 | 
 29 | download(){
 30 |     local filename=$1
 31 |     if [ ! -f srcs/$filename ]; then
 32 |         wget "$SOURCE/$filename" -O "srcs/$filename"
 33 |     else
 34 |         echo "[?] srcs/$filename already exists. remove it to re-download. continue ? (y/[n])"
 35 |         read opt
 36 |         if [ "$opt" = "y" ] || [ "$opt" = "Y" ]; then
 37 |             :
 38 |         else
 39 |             die "[*] check src/$filename manually"
 40 |         fi
 41 |     fi
 42 | }
 43 | 
 44 | extract(){
 45 |     local filepath=$1
 46 |     local output_dir=$2
 47 |     if [ ! -f $filepath ]; then
 48 |         die "[-] Invalid filepath: $filepath"
 49 |     fi
 50 |     if [ ! -d $output_dir ]; then
 51 |         echo "[*] Making directory $output_dir"
 52 |         mkdir -p $output_dir
 53 |         cp $filepath $output_dir/src.tar.gz
 54 |         pushd $output_dir 1>/dev/null
 55 |         tar xf src.tar.gz
 56 |         mv */* ./
 57 |         rm src.tar.gz
 58 |         popd 1>/dev/null
 59 |     else
 60 |         echo "[?] Seems that source code exists in $output_dir. continue ? (y/[n])"
 61 |         read opt
 62 |         if [ "$opt" = "y" ] || [ "$opt" = "Y" ]; then
 63 |             :
 64 |         else
 65 |             die "[*] check $output_dir manually"
 66 |         fi
 67 |     fi
 68 | }
 69 | 
 70 | build(){
 71 |     local arch=$1
 72 |     local src_dir=$2
 73 |     local output_dir=$3
 74 |     if [ ! -d $src_dir ]; then
 75 |         die "[-] Invalid src_dir: $src_dir"
 76 |     fi
 77 |     if [ ! -d $output_dir ]; then
 78 |         echo "[*] Making directory $output_dir"
 79 |         mkdir -p $output_dir
 80 |     fi
 81 |     pushd $src_dir 1>/dev/null
 82 |     mkdir build
 83 |     cd build
 84 |     if [ $arch = 'amd64' ]; then
 85 |         ../configure --prefix=$output_dir --disable-werror --enable-debug=yes
 86 |     elif [ $arch = 'i686' ]; then
 87 |         ../configure --prefix=$output_dir --disable-werror --enable-debug=yes --host=i686-linux-gnu --build=i686-linux-gnu CC="gcc -m32" CXX="g++ -m32" 
 88 |     else
 89 |         die "[-] Invalid arch: $arch"
 90 |     fi
 91 |     make
 92 |     make install
 93 |     cd ../
 94 |     rm -rf build
 95 |     popd 1>/dev/null
 96 | }
 97 | 
 98 | 
 99 | if [[ $# != 2 ]]; then
100 |   usage
101 | fi
102 | 
103 | echo "[*] checking requirements"
104 | apt-get install gawk bison gcc-multilib g++-multilib -y
105 | 
106 | GLIBC_VERSION=$1
107 | ARCH=$2
108 | 
109 | SRC="glibc-$GLIBC_VERSION.tar.gz"
110 | 
111 | echo "[*] downloading $SRC"
112 | download $SRC
113 | SRC_DIR=$GLIBC_DIR/$GLIBC_VERSION/source
114 | echo "[*] extracting to $SRC_DIR"
115 | extract "srcs/$SRC" $SRC_DIR
116 | echo "[*] building..."
117 | build $ARCH $SRC_DIR $GLIBC_DIR/$GLIBC_VERSION/$ARCH/
118 | echo "[+] build finished. check $GLIBC_DIR/$GLIBC_VERSION/$ARCH/"
119 | 


--------------------------------------------------------------------------------
/clibc:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | FILE_NAME=$1
 4 | LIBC_VERSION=$2
 5 | WORKDIR=$(pwd)
 6 | 
 7 | LIBC_DIR=/glibc
 8 | LIBC_DIR=$(find $LIBC_DIR -name "$LIBC_VERSION*")
 9 | if [ "$LIBC_DIR" = "" ];then
10 |     echo "Not support version or your $LIBC_DIR don't have libc"
11 |     exit
12 | fi
13 | 
14 | EBIT=$(file $FILE_NAME |awk '{print$3}'|cut -c 1-2)
15 | if [ $EBIT -eq "32" ];then
16 |     libc_dir=$LIBC_DIR/32/lib
17 | elif [ $EBIT -eq "64" ];then
18 |     libc_dir=$LIBC_DIR/64/lib
19 | else
20 |     echo "It's not a elf file"
21 |     exit
22 | fi
23 | 
24 | if  [ "$3" ] 
25 | then
26 | 	patchelf --set-interpreter $libc_dir/ld-$LIBC_VERSION.so --set-rpath $WORKDIR/ $1
27 | else
28 | 	patchelf --set-interpreter $libc_dir/ld-$LIBC_VERSION.so --set-rpath $libc_dir/ $1
29 | fi
30 | echo "success!!!"
31 | 


--------------------------------------------------------------------------------
/download:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | cd "$(dirname "$0")"
 3 | if [ ! -d "libs" ]; then
 4 |     mkdir libs
 5 | fi
 6 | 
 7 | if [ ! -d "debs" ];  then
 8 |     mkdir debs
 9 | fi
10 | 
11 | SOURCE="https://mirror.tuna.tsinghua.edu.cn/ubuntu/pool/main/g/glibc"
12 | # Use the source below if you feel slow, or change it on your own.
13 | # SOURCE="http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/"
14 | 
15 | LIBC_PREFIX="libc6_"
16 | LIBC_DBG_PREFIX="libc6-dbg_"
17 | 
18 | die() {
19 |   echo >&2 $1
20 |   exit 1
21 | }
22 | 
23 | usage() {
24 |   echo >&2 "Usage: $0 id"
25 |   exit 2
26 | }
27 | 
28 | download_single() {
29 |   local id=$1
30 |   local deb_name=$LIBC_PREFIX$id.deb
31 |   local dbg_name=$LIBC_DBG_PREFIX$id.deb
32 |   echo "Getting $id"
33 |   if [ -d "libs/$id" ]; then
34 |     die "  --> Downloaded before. Remove it to download again."
35 |   fi
36 | 
37 |   # download binary package
38 |   local url="$SOURCE/$deb_name"
39 |   echo "  -> Location: $url"
40 |   echo "  -> Downloading libc binary package"
41 |   wget "$url" 2>/dev/null -O debs/$deb_name || die "Failed to download package from $url"
42 |   echo "  -> Extracting libc binary package"
43 | 
44 |   mkdir libs/$id
45 |   ./extract debs/$deb_name libs/$id
46 |   echo "  -> Package saved to libs/$id"
47 | 
48 |   # download debug info package
49 |   local url="$SOURCE/$dbg_name"
50 |   echo "  -> Location: $url"
51 |   echo "  -> Downloading libc debug package"
52 |   wget "$url" 2>/dev/null -O debs/$dbg_name || die "Failed to download package from $url"
53 |   echo "  -> Extracting libc debug package"
54 | 
55 |   mkdir libs/$id/.debug
56 |   ./extract debs/$dbg_name libs/$id/.debug
57 |   echo "  -> Package saved to libs/$id/.debug"
58 | }
59 | 
60 | if [[ $# != 1 ]]; then
61 |   usage
62 | fi
63 | download_single "$1"
64 | 


--------------------------------------------------------------------------------
/download_old:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | cd "$(dirname "$0")"
 3 | if [ ! -d "libs" ]; then
 4 |     mkdir libs
 5 | fi
 6 | 
 7 | if [ ! -d "debs" ];  then
 8 |     mkdir debs
 9 | fi
10 | 
11 | SOURCE="http://old-releases.ubuntu.com/ubuntu/pool/main/g/glibc"
12 | 
13 | LIBC_PREFIX="libc6_"
14 | LIBC_DBG_PREFIX="libc6-dbg_"
15 | 
16 | die() {
17 |   echo >&2 $1
18 |   exit 1
19 | }
20 | 
21 | usage() {
22 |   echo >&2 "Usage: $0 id"
23 |   exit 2
24 | }
25 | 
26 | download_single() {
27 |   local id=$1
28 |   local deb_name=$LIBC_PREFIX$id.deb
29 |   local dbg_name=$LIBC_DBG_PREFIX$id.deb
30 |   echo "Getting $id"
31 |   if [ -d "libs/$id" ]; then
32 |     die "  --> Downloaded before. Remove it to download again."
33 |   fi
34 | 
35 |   # download binary package
36 |   local url="$SOURCE/$deb_name"
37 |   echo "  -> Location: $url"
38 |   echo "  -> Downloading libc binary package"
39 |   wget "$url" 2>/dev/null -O debs/$deb_name || die "Failed to download package from $url"
40 |   echo "  -> Extracting libc binary package"
41 | 
42 |   mkdir libs/$id
43 |   ./extract debs/$deb_name libs/$id
44 |   echo "  -> Package saved to libs/$id"
45 | 
46 |   # download debug info package
47 |   local url="$SOURCE/$dbg_name"
48 |   echo "  -> Location: $url"
49 |   echo "  -> Downloading libc debug package"
50 |   wget "$url" 2>/dev/null -O debs/$dbg_name || die "Failed to download package from $url"
51 |   echo "  -> Extracting libc debug package"
52 | 
53 |   mkdir libs/$id/.debug
54 |   ./extract debs/$dbg_name libs/$id/.debug
55 |   echo "  -> Package saved to libs/$id/.debug"
56 | }
57 | 
58 | if [[ $# != 1 ]]; then
59 |   usage
60 | fi
61 | download_single "$1"
62 | 


--------------------------------------------------------------------------------
/extract:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | cd "$(dirname "$0")"
 3 | 
 4 | die() {
 5 |   echo >&2 $1
 6 |   exit 1
 7 | }
 8 | 
 9 | usage() {
10 |   echo -e >&2 "Usage: $0 deb output"
11 |   exit 2
12 | }
13 | 
14 | extract() {
15 |     local deb=$1
16 |     local out=$2
17 |     if [ ! -d "$out" ]; then
18 |         mkdir $out
19 |     fi
20 |     local tmp=`mktemp -d`
21 |     dpkg -x $deb $tmp || die "dpkg failed"
22 | 
23 |     cp -P $tmp/lib/*/* $out 2>/dev/null || cp -P $tmp/lib32/* $out 2>/dev/null \
24 |       || cp -P $tmp/usr/lib/debug/lib/*/* $out 2>/dev/null || cp -P $tmp/usr/lib/debug/lib32/* $out 2>/dev/null \
25 |       || die "Failed to save. Check it manually $tmp"
26 |     
27 |     rm -rf $tmp
28 | }
29 | 
30 | if [[ $# -ne 2 ]]; then
31 |     usage
32 | fi
33 | 
34 | extract "$1" "$2"
35 | 
36 | 
37 | 


--------------------------------------------------------------------------------
/get_env.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | 
 3 | def download(LibcNameList):
 4 |     for item in LibcNameList:
 5 |         os.system("./download {}".format(item))
 6 | 
 7 | def mkDir(name):
 8 |     for item in name:
 9 |         os.system("sudo mkdir -p /glibc/{}/64/lib/".format(item))
10 |         os.system("sudo mkdir -p /glibc/{}/32/lib/".format(item))
11 | 
12 | def getName(LibcNameList):
13 |     name=[]
14 |     for item in LibcNameList:
15 |         if item.split("-")[0] in name or item.split("-")[0]=="" :
16 |             continue
17 |         else:
18 |             name.append(item.split("-")[0])
19 |     print("name:",name)
20 |     return name
21 | 
22 | os.system("./update_list")
23 | 
24 | f=open("./list","r")
25 | content=f.read()
26 | 
27 | print(content)
28 | LibcNameList=content.split("\n")
29 | 
30 | name=getName(LibcNameList)
31 | mkDir(name)
32 | 
33 | 
34 | download(LibcNameList)
35 | for LibcName in LibcNameList:
36 |     
37 | 
38 |     for item in name:
39 |         
40 |         if (item in  LibcName) and ("amd64" in LibcName):
41 |             
42 |             os.system("sudo cp ./libs/{}/* /glibc/{}/64/lib/".format(LibcName,item))
43 |         if (item in LibcName) and ("i386" in LibcName):
44 |             os.system("sudo cp ./libs/{}/* /glibc/{}/32/lib/".format(LibcName,item))
45 | 


--------------------------------------------------------------------------------
/pwn_printf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tower111/pwn-change-libc/8223164e79a1a4a30683c5c68182628530ee9522/pwn_printf


--------------------------------------------------------------------------------
/update_list:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | import re
 3 | import requests
 4 | 
 5 | common_url = 'https://mirror.tuna.tsinghua.edu.cn/ubuntu/pool/main/g/glibc/'
 6 | # url = 'http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/'
 7 | old_url = 'http://old-releases.ubuntu.com/ubuntu/pool/main/g/glibc/'
 8 | 
 9 | 
10 | def get_list(url, arch):
11 |     content = requests.get(url).content.decode('utf-8')  # 将字节对象转换为字符串
12 |     return re.findall('libc6_(2\.[0-9][0-9]-[0-9]ubuntu[0-9\.]*_{})\.deb'.format(arch), content)
13 | 
14 | 
15 | common_list = get_list(common_url, 'amd64')
16 | common_list += get_list(common_url, 'i386')
17 | 
18 | with open('list', 'w') as f:
19 |     for l in sorted(set(common_list)):
20 |         f.write(l + '\n')
21 | 
22 | print('[+] Common list has been saved to "list"')
23 | 
24 | old_list = get_list(old_url, 'amd64')
25 | old_list += get_list(old_url, 'i386')
26 | 
27 | with open('old_list', 'w') as f:
28 |     for l in sorted(set(old_list)):
29 |         f.write(l + '\n')
30 | 
31 | print('[+] Old-release list has been saved to "old_list"')
32 | 


--------------------------------------------------------------------------------