编译debug版本的glibc

使用情况

1. 通常系统中的共享库均为release版本，去除了符号表等调试信息，为了调试方便，需要准备一份debug版本的glibc
2. CTF比赛中二进制程序所需的libc版本与本地系统的版本不同，为了程序在本地正常运行，需要配置合适的libc

下载glibc源码

git clone git://sourceware.org/git/glibc.git 
cd glibc
git checkout glibc-2.27

编译glibc源码

编译64位

mkdir build
cd build
../configure --prefix=/usr/local/glibc-2.27 --enable-debug=yes
make -j4
sudo make install

编译32位

安装i686所需包

参考

sudo apt install binutils-i686-gnu 
sudo apt install gcc-i686-linux-gnu 
sudo apt install binutils-i686-gnu-dbg 
sudo apt install g++-i686-linux-gnu
#sudo apt install g++
#sudo apt install gcc

如果报错，换一个源即可

参考

cd /etc/apt
subl sources.list
#将如下内容拷贝进去
sudo apt-get update

# deb cdrom:[Debian GNU/Linux 7.0 _Kali_ - Official Snapshot i386 LIVE/INSTALL $

# deb cdrom:[Debian GNU/Linux 7.0 _Kali_ - Official Snapshot i386 LIVE/INSTALL $

## Security updates

deb http://http.kali.org/ /kali main contrib non-free

deb http://http.kali.org/ /wheezy main contrib non-free

deb http://http.kali.org/kali kali-dev main contrib non-free

deb http://http.kali.org/kali kali-dev main/debian-installer

deb-src http://http.kali.org/kali kali-dev main contrib non-free

deb http://http.kali.org/kali kali main contrib non-free

deb http://http.kali.org/kali kali main/debian-installer

deb-src http://http.kali.org/kali kali main contrib non-free

deb http://security.kali.org/kali-security kali/updates main contrib non-free

deb-src http://security.kali.org/kali-security kali/updates main contrib non-fr$

下载32位

 #../configure --prefix=/usr/local/glibc-2.23_32 --enable-debug=yes --host=i686-linux-gnu --build=i686-linux-gnu CC="gcc -m32" CXX="g++ m32" CFLAGS="-O2 -march=i686" CXXFLAGS="-O2 -march=i686"
#上为原书所写，但使用报错，后发现下面改方法好用 
CC="gcc -m32" CXX="g++ -m32" \             
        CFLAGS="-g -g3 -ggdb -gdwarf-4 -Og -Wno-error -fno-stack-protector" \
        CXXFLAGS="-g -g3 -ggdb -gdwarf-4 -Og -Wno-error -fno-stack-protector" \
        ../configure --prefix=/usr/local/glibc-2.23_32 --host=i686-linux-gnu --disable-werror

编译 & 链接

make
make install

使用该libc运行其他已编译的程序

替换二进制文件的编译器路径

#change_ld.py
import os
from pwn import *
import argparse

def change_ld(binary, ld,output):
    if not binary or not ld or not output:
	log.failure("Try 'python change_ld.py -h for more information.'")
	return None
	
    binary = ELF(binary)
    for segment in binary.segments:
        if segment.header['p_type'] == 'PT_INTERP':
            size = segment.header['p_memsz']
            addr = segment.header['p_paddr']
            data = segment.data()
            if size <= len(ld):
                log.failure("Failed to change PT_INTERP from {} to {}".format(data, ld))
                return None
            binary.write(addr,"/lib64/ld-glibc-{}".format(ld).ljust(size,'\0'))
         
            if os.access(output, os.F_OK): 
                os.remove(output)
            binary.save(output)    
            os.chmod(output, 0b111000000) #rwx------
    success("PT_INTERP has changed from {} to {}. Using temp file {}".format(data, ld, output)) 

parser = argparse.ArgumentParser(description='Force to use assigned new ld.so by changing the binary')
parser.add_argument('-b',dest="binary",help='input binary')
parser.add_argument('-l',dest="ld",help='ld.so version')
parser.add_argument('-o',dest="output",help='outputfile')
args = parser.parse_args()

change_ld(args.binary,args.ld,args.output)

sudo ln -s /usr/local/glibc-2.27/lib/ld-2.27.so /lib64/ld-glibc-2.27
python change_ld.py -b 二进制文件 -l 2.27 -o 输出文件名

winter@ubuntu:~/tw$ file tcache_tear 
tcache_tear: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a273b72984b37439fd6e9a64e86d1c2131948f32, stripped

#成功
winter@ubuntu:~/tw$ file tcache_debug 
tcache_debug: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-glibc-2.27, for GNU/Linux 3.2.0, BuildID[sha1]=a273b72984b37439fd6e9a64e86d1c2131948f32, stripped

p = process(["/home/winter/ff/ld-2.32.so", "./ff"],
            env={"LD_PRELOAD":"/home/winter/ff/libc.so.6"})

后记

主要参考《CTF竞赛权威指南（pwn篇）》5.1.3中内容

在做2.27的pwn题，tcache的机制总是失败，double free，，，这样修改后就可以用了。

glibc下载

https://mirrors.tuna.tsinghua.edu.cn/ubuntu/pool/main/g/glibc/