How should I format my input for the return to libc attack in the following code:
void example_function(int x, const char *name)
{
void (*foo)(int, const char *) = http_serve_none;
char buf[1024];
sprintf(buf, name);
foo(x, buf);
}
Given that the stack is non executable. I want to do return to libc attack by changing foo function pointer to system in libc and not by changing the return address of example_function. What I've done so far is used the conventional method for the input:
padding + address of system ( at foo function's address ) + address of exit + ptr to string ( string = "/bin/sh" )
but however this is not working. I don't know how to format my argument in input string for system call. I searched a lot on internet but everywhere I saw calling system() using return address only.
Extra Assumption:
there are no '0' in system call address. Machine is 32 bit and sprintf is working properly i.e, storing name into the buffer buf[1024].
I solved it finally... I just passed pointer to string "/bin/sh" at address of x and it worked for me