return to libc- finding libc's address and finding offsets

First, before you can approach your problem, you need to check if the executable is running under ASLR (https://en.wikipedia.org/wiki/Address_space_layout_randomization) If that's the case, you will need to find a way to leak the address from the program, as the address of libc will be different every time. You can easily check this by running gdb-->b main-->info proc mappings a couple of times and comparing the offsets. If they are different, your executable is probably running under ASLR. Assuming there is no ASLR protection, using gdb-->b main-->info proc mappings should give you the base address of the libc SO. In order to find the offset of the function you'd like to jump to, you can use many methods, but using readelf -s should work fine - this will give you the offset of the function calculated from the base of the SO (base address of SO + offset = position of code at runtime).

In order to find the base address of the executable module at runtime you can use use gdb or any other debugger and search for the entry point of the executable (or just search for your string after the executable is loaded into memory...). Basically any program that will load your executable to memory and allow you to view the memory will do.

The address of an executable under linux is usually 0x400000 for 64 bit executables and 0x08048000 for 32 bit executables as defined by the gnu linker. But there's nothing stopping someone from changing the entry point to a different address.

After you've figured out the memory mappings, you'll need to find gadgets in the code, I'll leave that for you to research... https://en.wikipedia.org/wiki/Return-to-libc_attack

Perhaps you can find more answers by looking at exercises at exploit-exercises.com for example, protostar stack6 should deal with ret2libc, you can look for a walkthrough

edited: it seems that ldd won't always give you the correct address, it even ignores disabling of ASLR on my system - It's probably better to use gdb


Here are two methods: 1. strings -t x -a /path/to/libc | grep "/bin/sh"--> this outputs the offset of the string in libc.
2. with pwntools: first define the libc with libc=ELF('/path/to/libc') libc_binsh=libc.search("/bin/sh\x00").next()