1

I am training myself for BOF and ASLR in 32Bits. I wrote a program that seems like this : 

int main(int argc, char **argv)
{
    char buffer[32];
    printf(argv[1]);
    gets(buffer);
    return 0;
}

With a format string I can get main's return address which is: 0xf7e19637 <=> __libc_start_main+247.

But now I don't know what I can do with this address to find the address of the system function to do a Ret2LibC!

EDIT: After researchs I found this How to leak libc base address using format string exploit which is the same program, and he wants to exploit it as the same way as I want (he is in x86_64). But I do not understand how he does its script.

wammder
  • 11
  • 3

1 Answers1

2

You have to grab your libc binary and compute the offset in bytes from __libc_start_main+247 to the function you want to call. ASLR randomizes the base address from where the module is loaded, but it cannot randomize internal offsets between elements inside the module itself. You can find this offset in gdb by executing

print system - __libc_start_main+247

... while running the program. Hence, to find system given __libc_start_main+247, just add the value you got by running that command. Keep in mind that this offset does depend on the version of the module and the way it was built, so it may be different between systems. You can roughly guess, "if it runs Ubuntu xxxx, offset should be this", or you can make sure by means of arbitrary read primitives.

user25972
  • 143
  • 1
  • 7