A “return-to-libc” attack is an attack that is usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process’s executable memory, bypassing the NX bit feature (if present) and ridding the attacker of the need to inject their own code.
On POSIX-compliant operating system the C standard library is commonly used to provide a standard runtime environment for programs writing in the C programming language. Although the attacker could make the code return anywhere, libc is the most likely target, as it is almost always linked to the program, and it provides useful calls for an attacker (such as the system function used to execute shell commands)
Reconnaissance enables adversaries to gather information about the target system including network topology, configurations, network dynamics.
This information can be used to identify system vulnerabilities, and to design and execute specific exploits.
Procedure of Attack
Most network mapping tools perform their operations by using ICMP packets and TCP or UDP scans.
- ICMP messages are typically used to verify connectivity or reachability of potential targets. TCP and UDP port scans are used to identify running services of a target.
- Replies (RCP RST, silent drop of ICMP unreachable) to scans can also reveal what services are allowed or filtered through transit devices.
- Additionally, the TTL field of IP packets is used to identify the distance between the target and the destination.
 SDN-based solutions for Moving Target Defense Network Protection, by Panos Kampanakis, in WoWMoM14