systemfunction found within the C library. This function executes anything passed to it making it the best target. Another thing found within libc is the string
/bin/sh; if you pass this string to
system, it will pop a shell.
/bin/shas a parameter to
system. Doesn't sound too bad, right?
/bin/sh. To understand the general theory, we will start with it disabled.
lddfor dynamic linking. If we run it on our compiled ELF file, it'll tell us the libraries it uses and their base addresses.
libc.so.6, so the base address of libc is
readelfcommand for this.
readelfto search for symbols, for example functions. Here we can find the offset of system from libc base is
/bin/shis just a string, we can use
stringson the dynamic library we just found with
ldd. Note that when passing strings as parameters you need to pass a pointer to the string, not the hex representation of the string, because that's how C expects it.
-atells it to scan the entire file;
-t xtells it to output the offset in hex.
libclinked to the 64-bit exploit (should be called something like
pop rdi; retgadget to put it into the RDI register.