Match against local system libc first in libcdb

Don't do any requests if the libc currently in use on the system running the exploit matches already. This is a small short circuit optimization when the remote target uses the same libc as the local one. This looks at the libc loaded by the local shell binary. This appears more dynamic than hardcoding library paths. Refs Gallopsled#983
peace-maker · Jan 2, 2024 · 1711b5d · 1711b5d
1 parent cd0c34a
commit 1711b5d
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/pwnlib/libcdb.py b/pwnlib/libcdb.py
@@ -13,14 +13,20 @@
 from pwnlib.log import getLogger
 from pwnlib.tubes.process import process
 from pwnlib.util.fiddling import enhex
+from pwnlib.util.hashes import sha1sumhex, sha256sumhex, md5sumhex
 from pwnlib.util.misc import read
 from pwnlib.util.misc import which
 from pwnlib.util.misc import write
 from pwnlib.util.web import wget
 
 log = getLogger(__name__)
 
-HASHES = ['build_id', 'sha1', 'sha256', 'md5']
+HASHES = {
+    'build_id': lambda path: enhex(ELF(path, checksec=False).buildid or b''),
+    'sha1': sha1sumhex,
+    'sha256': sha256sumhex,
+    'md5': md5sumhex,
+}
 DEBUGINFOD_SERVERS = [
     'https://debuginfod.elfutils.org/',
 ]
@@ -100,7 +106,23 @@ def provider_libc_rip(hex_encoded_id, hash_type):
         return None
     return data
 
-PROVIDERS = [provider_libcdb, provider_libc_rip]
+# Check if the local system libc matches the requested hash.
+def provider_local_system(hex_encoded_id, hash_type):
+    if hash_type == 'id':
+        return None
+    shell_path = os.environ['SHELL'] or '/bin/sh'
+    if not os.path.exists(shell_path):
+        log.debug('Shell path %r does not exist. Skipping local system libc matching.', shell_path)
+        return None
+    local_libc = ELF(shell_path, checksec=False).libc
+    if not local_libc:
+        log.debug('Cannot lookup libc from shell %r. Skipping local system libc matching.', shell_path)
+        return None
+    if HASHES[hash_type](local_libc.path) == hex_encoded_id:
+        return local_libc.data
+    return None
+
+PROVIDERS = [provider_local_system, provider_libcdb, provider_libc_rip]
 
 def search_by_hash(hex_encoded_id, hash_type='build_id', unstrip=True):
     assert hash_type in HASHES, hash_type