Jump to register with return to libc

This is the vulnerable script:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
char buffer[30];
strcpy(buffer, argv[1]);
return 0;
}

I'm trying to exploit this script with both ASLR and NX on. I was going to use the return to libc method for ASLR, and I was wondering if the jump to register technique is possible to jump to a library. For example, if the location of the library is stored in EAX, can I have the return address point to an opcode of "jump to EAX"? Or is there any other method to bypassing both ASLR a开发者_如何学JAVAnd NX at the same time? Thanks

I had thought "return to libc" (or any library or program code) was used to get around NX. So I believe that you have that backwards.

ASLR is used to make a "return to libc" attack much, much harder to pull off. To get around ASLR you need to either have a way to scout the library location such as through a printf format string vulnerability, or you need to run your exploit hundreds of times until you hit the correct random location.

Well there is an opcode call (function pointers are implemented that way after all), but that won't help much (and how you'd get the address into eax in the first place is a riddle to me - that's highly unlikely I think)

After all you'd still need the stack to be executeable (otherwise having stored an opcode there won't do much good) and know its address so that you can jump to it. There are ways to circumvent those protections but it's not that easy - though I'm sure you can find enough papers about that topic with a bit googling - but if you have an exploit to circumvent ASLR and NX you don't need the return to libc attack any longer because you have control over the system already.