I am trying to write a return to libc exploit, but am not able to figure out where in stack should I place the argument for my system() call.
The vulnerable function is
void func(char *str)
{
char buffer[12];
strcpy(buffer,str);
}
The stack for this function will look something like this:
-----------
str
-----------
return address
-----------
previous frame pointer
-----------
buffer
-----------
I understand that I must overwrite the return address with the address for system() call, but where should I place the address for its arguments and why ?
Thanks.
A pointer to the argument should be found immediately above the return address. That is, after the overwrite, your stack should look something like this:
-----------
shellcode: /bin/whatever ...
...
...
...
\0
-----------
&shellcode <-- str is here
-----------
&system <-- return address is here
-----------
previous frame pointer <--- don't corrupt this
-----------
padding <-- buffer
Note that this implies you must know what %esp is when you reach strcpy (to avoid corrupting the previous frame pointer). Also, none of the pointers can contain a zero byte.