Overwriting the return address of the stack with overflowing the buffer allows us to return another malicious address which ends up with code execution.
Keep that in mind if NX is enabled we can't just directly jump to shellcode
junk_buf + system_call + exit_addr + /bin/sh
Since we overwrite the return address with system’s address, we can give system arguments and make it execute commands
1st –> find exact size of buffer to fill buffer+ebp.
2nd –> For overwriting the ret address find the system address with “p system” from gdb.
3rd –> Search for “/bin/sh” in the program with “memsearch /bin/sh” in order to skip calculating offset etc. because this way it will be calculated already. Don’t care about exit.
4th –> Construct your chain like this “junk_buf + system_addr + exit_addr + /bin/sh “
Start with this
gdb gives you a great opportunity to do address calculations
(gdb) x/x 0xb7e97000 + 0x00038fb0
info proc map
libc_base_addr = ldd /home/vuln | grep libc
To run the script with the binary use
(python exploit.py; cat) | /home/vuln