How to exploit with Control over return address and knowing the address of printf



  • enter image description here

    I have this program that uses ASLR and it leaks information when i overflow a buffer, namely the address of printf. Furthermore i can overwrite the return address. How can i use this to spawn a shell? My approach would have been to calculate the relative offset of system() function with repsect to printf since it is in the same address-space and then overwrite the return address with the address of system(). The problem is that i need to have a "/bin/sh" string as an argument and since the program uses aslr i cant pass this string with environment variables.

    How can i exploit this program with knowing the address of printf and overwriting the return adress alone in an ASLR scenario?



  • The same way you calculate the offset to system within libc, you could also find a string reference to "/bin/sh" in libc and calculate the offset based on the leak. Use strings -a -t x /path/to/libc.so.6 | grep /bin/sh to get the offset, then printf_leak - printf_offset + binsh_offset to get the memory address.

    Or, you may be able to do everything in a single jump since the needed code is usually already in libc. There are tools such as one_gadget out there to automate this.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2