So I want to practice doing a ret2libc attack and I'm playing around with gdb on this simple program
// File: retlib.c
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("system = %p\n", system);
char c[] = "echo 123";
system(c);
return 0;
}
Now notice this
Reading symbols from ./retlib...(no debugging symbols found)...done.
(gdb) p system
$1 = {<text variable, no debug info>} 0x4004b0 <system@plt>
(gdb) b main
Breakpoint 1 at 0x4005ea
(gdb) r
Starting program: /home/users/mickey/retlib
Breakpoint 1, 0x00000000004005ea in main ()
(gdb) p system
$2 = {<text variable, no debug info>} 0x7ffff7a523a0 <__libc_system>
(gdb) c
Continuing.
system = 0x4004b0
123
[Inferior 1 (process 11593) exited normally]
My question is, why do I get 2 different outputs of the system function address. And even after I start running the program the gdb command says one thing, and printf says another. I notice that the tags for each address are different, but why is this happening? Any help would be appreciated!
systemis at0x4004b0both times?p systemit gives me a different address.Reading symbols from ./retlib...(no debugging symbols found)...done.Are you compiling with-gflag on?printf("system = %p\n", system);is not specified way to print a function address, It is UB.printf("system = %p\n", (void*) system);is marginally better. There is no great way to certainly print a function address-gflag on and same thing happened.