I'm writing a return-to-libc attack for a school project. My script retrieves the system(), exit() and shell addresses as follows (it's a sh script that calls some c programs):
Create the environment variable for the xh shell:
export egg=/bin/xh
Retrieve the address of the xh shell: printf("%p\n", getenv("egg"));
Get the address of system(): void (*system_addr)(int) = dlsym(RTLD_NEXT, "system");
Get the address of exit(): void (*exit_addr)(int) = dlsym(RTLD_NEXT, "exit");
I then overflow the buffer with the correct amount of filler + address of system() + address of exit() + address of /bin/xh.
The exploit is in a folder called /vuln_programs. We can't write to this directory so I'm working on a local copy in my own directory on the server.
The problem is that when I run the script in my working directory on my local copy ( ./vuln_program), the xh shell is dropped correctly. But when I run the script in my working directory on /vuln_programs/vuln_program nothing happens.
My guess is that this is because for some reason the address of the egg is not the same anymore even though my script puts/gets it in/from the environment. Am I right in this assumption and how can I resolve this?
It might be important to note that all binaries in /vuln_programs have a setuid-bit set.
