ret2libc

Leak a function address from libc => Compute libc base address => call system("/bin/sh") or use one_gadget

Theory

If the function is dynamically linked, it is possible to utilize gadgets from libc. For example, if the binary calls puts(), we can control EIP/RIP and then leak an address from GOT. If libc.so is given, just attach it and find the offset; otherwise, use libc database to search the offset. We compute the libc base address:

libc_base_address = leaked_address_from_GOT - offset

Then we compute the system() address and "/bin/sh" address:

system_address = libc_base_address + offset
bin_sh_address = libc_base_address + offset

In the end we call system("/bin/sh"). Read this writeup to learn more:

https://www.ctfwriteup.com/pwn/jarvis-oj-pwn-xman-serieswww.ctfwriteup.com

Jarvis OJ Pwn Xman Series - ctfwriteup.com

Template: