Return to libc finding pointers

Question

For a class in software security I've got to make a simple return to libc attack. I managed to make a perl script that completes the attack given the correct pointers to system(), exit() and the /bin/sh string. I found these pointers using gdb "p system" etc. Now I want to make the exploit a bit more "dynamic" by writing a c program that finds the adres of system() and exit() at run time. How do I do this? I tried "&system" but that doesn't seem to be giving me the correct adress at all.

Edit: The system does NOT have ASLR enabled.

Answer 1

You may easily find the addresses using binutils - objdump or readelf, but only addresses of the symbols the binary is actually using. The unused symbols are not linked with the libc library.

Say you want to hack the ls command:

objdump -d `which ls` | less

you will find this section:

0000000000402910 <exit@plt>:
  402910:       ff 25 da 89 21 00       jmpq   *0x2189da(%rip)        # 61b2f0 <_fini+0x208704>
  402916:       68 5e 00 00 00          pushq  $0x5e
  40291b:       e9 00 fa ff ff          jmpq   402320 <_init+0x10>

So now you have the address: 0x402910 is the jump address of the exit() function (the one you would get printed if you tried printf("%x\n", exit);.

Regarding system, ls is not using this symbol so you cannot access it this way, as it is not linked.