1

So I want to practice doing a ret2libc attack and I'm playing around with gdb on this simple program

// File: retlib.c

#include <stdio.h>
#include <stdlib.h>

int main()
{
    printf("system = %p\n", system);
    char c[] = "echo 123";
    system(c);

    return 0;
}

Now notice this

Reading symbols from ./retlib...(no debugging symbols found)...done.
(gdb) p system
$1 = {<text variable, no debug info>} 0x4004b0 <system@plt>
(gdb) b main
Breakpoint 1 at 0x4005ea
(gdb) r
Starting program: /home/users/mickey/retlib 

Breakpoint 1, 0x00000000004005ea in main ()
(gdb) p system
$2 = {<text variable, no debug info>} 0x7ffff7a523a0 <__libc_system>
(gdb) c
Continuing.
system = 0x4004b0
123
[Inferior 1 (process 11593) exited normally]

My question is, why do I get 2 different outputs of the system function address. And even after I start running the program the gdb command says one thing, and printf says another. I notice that the tags for each address are different, but why is this happening? Any help would be appreciated!

6
  • Isn't it saying system is at 0x4004b0 both times? Commented Jul 10, 2020 at 20:06
  • @JohnnyMopp Yes but the second time I type p system it gives me a different address. Commented Jul 10, 2020 at 20:17
  • Reading symbols from ./retlib...(no debugging symbols found)...done. Are you compiling with -g flag on? Commented Jul 10, 2020 at 20:23
  • printf("system = %p\n", system); is not specified way to print a function address, It is UB. printf("system = %p\n", (void*) system); is marginally better. There is no great way to certainly print a function address Commented Jul 10, 2020 at 20:25
  • @DavidRanieri uhm actually no I did not add that flag for some reason... But I tried it with the -g flag on and same thing happened. Commented Jul 10, 2020 at 20:33

1 Answer 1

1

Before running the program, gdb will give you the procedure linkage table (.plt) address, after running, the libc function address.

Sign up to request clarification or add additional context in comments.

3 Comments

And which one is a valid return address for using in a return libc attack?
@DaMike See this
@DaMike no difference, either one ends up calling system.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.