killchain-compendium/exploit/binaries/ret2libc.md

# Ret2libc


## Finding offsets

* On target find `sh` address inside libc
```sh
strings -a -t x /lib32/libc.so.6 | grep /bin/sh
```
* Sub from `system` address from inside libc
```sh
readelf -s /lib32/libc.so.6 | grep system
```
mssql 2021-12-12 00:54:07 +01:00			`# Ret2libc`


			`## Finding offsets`

			* On target find `sh` address inside libc
			```sh
			`strings -a -t x /lib32/libc.so.6 \| grep /bin/sh`
			```
			* Sub from `system` address from inside libc
			```sh
			`readelf -s /lib32/libc.so.6 \| grep system`
			```