A return-to-libc attack is a computer security attack usually starting with a buffer overflow, in which the return address on the stack is replaced by the address of another function in the computer program. This allows attackers to call pre-existing functions without injecting malicious code into programs, and can still be a security hole in environments protected by concepts such as a NX bit stack.

=Theory of operation=

In classical stack buffer overflow attacks, the buffer to be overflowed must be large enough to put shellcode into it. Otherwise, the success rate of an attack would be lowered dramatically. If the buffer is so small that it can t hold all the shellcode, the attack will fail for sure. Return-to-libc attack can make this kind of attack possible in some situations. As indicated in its name, return-to-libc attack achieves this by overwriting a function s return address on stack with another function s address which lives in libc.so in the process s address space instead of the address of the shellcode which is used in classical buffer overflow attacks. Any function in libc can do here. However for the attack purpose, the most useful one is system(3).

=Preventing=

=Detecting=

=Attack example=