return-to-libc exploit : where to provide arguments for system() call?
A pointer to the argument should be found immediately above the return address. That is, after the overwrite, your stack should look something like this:
-----------shellcode: /bin/whatever ............\0-----------&shellcode <-- str is here-----------&system <-- return address is here-----------previous frame pointer <--- don't corrupt this-----------padding <-- buffer
Note that this implies you must know what %esp
is when you reach strcpy
(to avoid corrupting the previous frame pointer). Also, none of the pointers can contain a zero byte.