Skip to content
/ ptrfind Public

A gdb extension that finds pointers and leak chains for you

License

MIT license
14 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ChaChaNop-Slide/ptrfind

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
ptrfind.py
ptrfind.py
 
 

Repository files navigation

ptrfind

A gdb extension that helps you find pointers in your program

Why?

Imagine this: You have an arbitrary read/write in a region in your pwn-challenge and need to move forward. So you start hexdumping memory, and look for pointers. Ever thought that this could be automated? Well look no further!

Features

  • Automatic memory region detection:
    Don't want to copy-paste the libc's address-range every time? No problem! Keywords like "libc", "loader", "image" and even "tls" are detected automatically, and translated to the respective memory-range. Providing the file name or absolute path of a mapped object file also works!
  • Leak-chains
    Can't get to your destination directly? With --chain, ptrfind will locate leak-chains for you, i.e. getting to your location in multiple leaks. Ezpz!
  • Bad Bytes filtering
    You can only leak pointers without NULL-Bytes? Don't want newlines in your pointer? Give ptrfind a list of bad bytes, and you will only get pointers without them.
  • Caching
    The results of read-only pages are automatically cached, so that future executions will be considerably faster! Use -c to also cache-writeable pages, or --clear-cache to start from scratch.
  • Independent of gef or pwndbg, also works in vanilla gdb

Examples:

  • Find your libc pointers:
(gdb) ptrfind libc --from image
[+] Searching for pointers, this may take a few minutes
[+] Pointer(s) found from /usr/bin/bash to /usr/lib64/libc.so.6:
	0x5555556a6890 (endgrent@got[plt]) → 0x7ffff7e6b650 (endgrent)
	0x5555556a6898 (__ctype_toupper_loc@got.plt) → 0x7ffff7dc7120 (__ctype_toupper_loc)
	0x5555556a68a0 (__strcat_chk@got.plt) → 0x7ffff7eb5020 (__strcat_chk)
	0x5555556a68a8 (iswlower@got[plt]) → 0x7ffff7ea9b70 (iswlower)
	0x5555556a68b0 (sigprocmask@got[plt]) → 0x7ffff7dceb70 (sigprocmask)
	(223 pointers omitted, use -a to show all)
[+] Search done, 228 pointers found
  • Leak-chains:
(gdb) ptrfind tls --from image
[+] Searching for pointers, this may take a few minutes
[-] Search done, no pointers were found
(gdb) ptrfind tls --from image --chain 1
[+] Searching for leak-chains, this may take a few minutes
[+] Leak-chain found (2 leaks):
  → /usr/bin/bash
	0x5555556a6750 (_DYNAMIC+0xd8) → 0x7ffff7ffe108 (_r_debug_extended)
  → /usr/lib64/ld-linux-x86-64.so.2
	0x7ffff7ffb740 (_dlfo_nodelete_mappings) → 0x7ffff7d8e1e0
	0x7ffff7ffe090 (_rtld_local+0x1090) → 0x7ffff7d8e0e0
	0x7ffff7ffe0b8 (_rtld_local+0x10b8) → 0x7ffff7d8da00
	0x7ffff7ffe0c0 (_rtld_local+0x10c0) → 0x7ffff7d8da00
	0x7ffff7ffe168 (alloc_last_block) → 0x7ffff7d8e1e0
	(1 pointer omitted, use -a to show all)
  → [tls] (0x7ffff7d8d000-0x7ffff7d90000)
[+] 20 more chains were found but not printed, use --chain <num_chains_printed> to show more
[+] Search done, 21 unique chains were found

For more examples and a detailed description of all options, check out the command's help page.

Requirements

A recent version of gdb with Python 3 support. This extension has been tested with gdb version 14.1-2 on Fedora 39.

Installation instructions

TL;DR: Include this python script in your .gdbinit with source path/to/ptrfind.py. Here is an example:

cd ~
git clone https://github.com/ChaChaNop-Slide/ptrfind.git
echo "source ~/ptrfind/ptrfind.py" >> .gdbinit

About

A gdb extension that finds pointers and leak chains for you

Topics

gdb pwn pwning

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

14 stars

Watchers

2 watching

Forks

0 forks
Report repository

Contributors 2

  •  
  •  

Languages