How to exploit with Control over return address and knowing the address of printf
I have this program that uses ASLR and it leaks information when i overflow a buffer, namely the address of printf. Furthermore i can overwrite the return address. How can i use this to spawn a shell? My approach would have been to calculate the relative offset of system() function with repsect to printf since it is in the same address-space and then overwrite the return address with the address of system(). The problem is that i need to have a "/bin/sh" string as an argument and since the program uses aslr i cant pass this string with environment variables.
How can i exploit this program with knowing the address of printf and overwriting the return adress alone in an ASLR scenario?
The same way you calculate the offset to system within libc, you could also find a string reference to "/bin/sh" in libc and calculate the offset based on the leak. Use
strings -a -t x /path/to/libc.so.6 | grep /bin/shto get the offset, then
printf_leak - printf_offset + binsh_offsetto get the memory address.
Or, you may be able to do everything in a single jump since the needed code is usually already in libc. There are tools such as one_gadget out there to automate this.