4

I'm studying the Return-to-libc Attack and I understand the concept. But one thing still does not make sense. In order to make the attack I need the memory address of system() and "/bin/sh", which is different on every system. And all the examples I have seen about the topic is about creating a dummy C code and debug it with gdb to find out these addresses on their host system.

Well how I can get these memory addresses on the target system if I have no shell access yet? All I have is maybe an EIP address that I found out by fuzzing and a non-executable stack which I cant run anything on it?

Spring
  • 253
  • 1
  • 6

1 Answers1

5

This depends a little bit on the mitigations employed by the host. If you do not have ALSR on the target (rare on modern systems), and you know what OS they are running (e.g., Ubuntu 16.04), you can setup a system with the same versions and locate addresses that way. If you look at many Metasploit exploits, they have a table of TARGET versions that you can specify, which usually results in the use of different target addresses.

On a more modern setup (using ASLR), you'll need to either:

  1. Find a module loaded at a fixed address. This used to be fairly common, but is getting rarer with more security awareness.
  2. Find a way to leak some addresses so you can find where libc (or other useful libraries) are located, then add/subtract some offset to find the needed addresses for your attack.
David
  • 15,814
  • 3
  • 48
  • 73
  • 1
    https://github.com/niklasb/libc-database hosts a large number of libc versions which you can match with your target. Use LD_PRELOAD with your library to load a different libc. As already mentioned try to find a way such that you can leak values from GOT of the binary. – sudhackar Jan 09 '18 at 07:48