This challenge introduces the concept of return to libc (ret2libc), and also requires defeating ASLR.
Steps to solve:
- Use the leaked address to calculate the base address of libc
- Find the return pointer offset in the stack
- Find a usable pointer to the string "/bin/sh" (in libc)
- Ensure the stack is set up correctly to pass the pointer to
"/bin/sh"tosystem()
Some gotcha's here are:
- How to calculate the base address
- How to figure out the offset of system in libc
- How set up the stack correctly to pass an argument via a return instruction instead of a call instruction
Write-up will come later