gets()
takes in as much data as we want.puts
. As mentioned before, calling the PLT entry of a function is the same as calling the function itself; if we point the parameter to the GOT entry, it'll print out it's actual location. This is because in C string arguments for functions actually take a pointer to where the string can be found, so pointing it to the GOT entry (which we know the location of) will print it out.main
there? Well, if we set the return address to random jargon, we'll leak libc base but then it'll crash; if we call main
again, however, we essentially restart the binary - except we now know libc
base so this time around we can do a ret2libc.puts
, and most functions in C, print until a null byte. This means it will keep on printing GOT addresses, but the only one we care about is the first one, so we grab the first 4 bytes and use u32()
to interpret them as a little-endian number. After that we ignore the the rest of the values as well as the Come get me
from calling main
again.