this article explains about return to libc attack.
if we can control instruction pointer , it possible to us to doing this attack.
this method can be used even the target machine have aslr and pie enabled, since we can
leak libc function and calculate it with some offset. we can use this code :
i assume you already know about buffer overflow vulnerability. firstly we need to
find the offset to overwrite instruction pointer , i use gdb-gef to do dynamic analysis
you can find gdb-gef here. to find the offset i use pattern
to automatic calculate the offset
the offset to overwrite eip is 208 bytes , so we need 208 bytes padding to be able to overwrite eip.
now let’s find puts@plt by using objdump
and now let’s find libc function by using readelf
we will use printf , so now we will leak printf address. our exploit should be look
the binary will jump back to main function after leak printf , its like
now we can grab that leaked address and calculate it to system offset , and send another exploit that contains
system() and string “/bin/sh” , our full exploit will look like this