Bypassing non-executable-stack during exploitation using return-to-libc

Contributed by C0ntex back in 2004 from the old Infosecwriters archives

Returning to libc is a method of exploiting a buffer overflow on a system that has a non-executable stack, it is very similar to a standard buffer overflow, in that the return address is changed to point at a new location that we can control. However since no executable code is allowed on the stack we can't just tag in shellcode.

This is the reason we use the return into libc trick and utilize a function provided by the library. We still overwrite the return address with one of a function in libc, pass it the correct arguments and have that execute for us. Since these functions do not reside on the stack, we can bypass the stack protection and execute code.

In the following example I will use the system() function, a generic return argument and a command argument, "/bin/sh", and as no shellcode is required to use this method, it is also a very suitable trick for overflows where buffer space is a real issue.

This document is in PDF format. To view it click here.

Rate this article: 
Average: 1.7 (3 votes)