We have a 32-bit ELF binary and libc is NOT provided:
$ file leakless
leakless: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=168034ba2b6802df6058a4ceede506ffaf8dabb3, not strippeded
Run the binary:
Errore di segmentazione (core dump creato)
Also the binary seems dont use puts or printf, but if we analyze a bit we found:
$ rabin2 -s leakless | grep puts
004 0x000003f0 0x080483f0 GLOBAL FUNC 16 imp.puts
Quick reverse reveal that the function puts is used just in the handler function wich is called by the setup func that is (finally) called by main function.
Let's now analyze the protection that are enabled on this binary(assuming ASLR is active on the remote server):
[+] checksec for 'leakless'
Canary : No
NX : Yes
PIE : No
Fortify : No
RelRO : Partial
With that in mind we can start figure out our exploit.
Use the buffer overflow to override the ret addr and get control on eip, use ret2libc to leak some GOT addr and return into main func.
The leak payload will be like this
[A x off][puts_plt][main_addr][some_GOT_addr]
[A x off][system_libc][junk][/bin/sh]and send it.