How to find the libc version without having its local copy.

Scenario

Todays scenario is similar to the one described in my previous artice:

  • we have the binary vulnerable to ret2libc
  • we managed to leak the address of puts in memory
  • but we don’t have the libc given, so we can’t calculate the offsets in memory

Solution

  1. Leak the address of any function in memory
  2. Go to libc database 1 or 2
  3. Fill the form with function name and last 3 characters of address and press search
  4. Download provided libc binary or use the offsets provided by database

libc