killchain-compendium/exploit/binaries/ret2libc.md

Ret2libc

Finding offsets

• On target find sh address inside libc

strings -a -t x /lib32/libc.so.6 | grep /bin/sh

• Sub from system address from inside libc

readelf -s /lib32/libc.so.6 | grep system