I am currently learning about binary exploitation. Now i am working with a binary (Linux) that is vulnerable to a stack buffer overflow (ASLR and NX are enabled, and binary is interacted with through network), and i have developed a 2 stage exploit, the first stage leaks the address of the puts function in libc (from the GOT and leak by calling puts to send address), and the 2nd stage uses the leaked address to calculate the address of a few ROP gadgets and the execve function, which is used to gain Remote Code Execution.
The problem is:
I debug the binary in IDA and find the address of puts and execve so then i can calculate the offset of execve from puts. Lets say this offset is x. Then when using the exploit, stage 1 leaks address of puts and then address of execve is found by puts + x. This exploit works fine on my installation of Linux, but i have noticed that in other flavours of linux, the offset x of puts -> execve in libc is different (Assuming because its a different build of libc). So my question is, how can one find the address of another function using a leaked libc address, for a different Linux flavour which has an unknown offset.
This exploit works fine on my installation of Linux, but i have noticed that in other flavours of linux, the offset x of puts -> execve in libc is different (Assuming because its a different build of libc).
Correct: the address will change depending on exact GLIBC source, exact version of compiler and linker used, compilation flags, etc.
In short, you can know this offset for a specific version of libc6 package in a specific Linux distribution, but there are probably a 100 different variants in common use on any given day.
So my question is, how can one find the address of another function using a leaked libc address, for a different Linux flavour which has an unknown offset.
You can't.
The only things you could do are
[x - N, x + N] (where N is the guessed maximum of the possible deviations).