1. 14
  1.  

  2. 2

    Read the strtol() function pointer out of the BSS. From that, calculate the system() function pointer since both are in libc.so.

    Does this step still work as easily if the order of objects in libc.so is randomized when the machine boots up?

    1. 1

      Hmm it seems the exploit code does indeed use fixed offsets:

      } else if (name == 'offset_bss_strtol') {
        if (is32 == true) {
          return 0x13fc;
        } else {
          return 0x1168;
        }
      } else if (name == 'delta_strtol_system') {
        if (is32 == true) {
          return 0xb180;
        } else {
          return 0x8bc0;
      }
      

      Is there another way to get a pointer to system() from JavaScript?