Rating:

# How do you got libc binary?

[DynELF from pwntools](http://docs.pwntools.com/en/stable/dynelf.html) will tries to read build id from libc binary,
and search it in some database with millions libc binary. And pwntools found it!

# How this work?

1. Use OOB read to leak stack address and stack canary
2. Now we can perform absolute address reading with known stack address, leak libc address and symbols (with `DynELF`)
3. Add function will cause buffer overflow, perform ret2libc attack

Notice that put `"/bin/sh\0"` on the stack may not work, becase `system(stack_buffer_bin_sh)`
may use the same stack space where the "/bin/sh\0" is.

Original writeup (https://gist.github.com/Inndy/a2c630a6e70d892758908915914cebfc).