0

I am new to systems programming. I was just trying to implement the ret2libc attack on my own. To implement that, I need the address of the start of the libc function "system" in the executable.

I tried to do static linking, but to my surprise, the "system" function is not getting linked in my executable.

Below is a simple program saved as t.c:

#include <stdio.h>
#include <stdlib.h>
int fun()
{
    int x;
}int main()
{
    fun();
    int x;
    x=10;
    printf("%d\n",x);
    return 0;
}

Below is the output which I get when using GDB:

abhishek@abhishek:~$ gcc -g -static t.c -o t
abhishek@abhishek:~$ gdb -q t
Reading symbols from t...
(gdb) print system
No symbol "system" in current context.
(gdb) print memcpy
$1 = {<text gnu-indirect-function variable, no debug info>} 0x422b40 <memcpy>
(gdb) print strcmp
$2 = {<text gnu-indirect-function variable, no debug info>} 0x421b50 <strcmp_ifunc>
(gdb) print printf
$3 = {<text variable, no debug info>} 0x40b5b0 <printf>
(gdb) quit
abhishek@abhishek:~$

libc functions like memcpy, strcmp and even printf is getting linked. But not the function system. The tutorials out on the internet just asks to get the address of system and then proceed accordingly. But I am unable to get the address of system in the first place.

Could anyone help me why the function system is not linked even when I am using the -static flag in GCC?

Improve this question
2
  • 4
    You're not using the system() function. Only functions (or actually the compliation unit the function is part of) gets linked in. printf and the libc runtime itself may call other functions such as memcpy/strcmp so those get linked in. Commented Aug 23, 2022 at 8:19
  • 1
    ... add some function that calls system to your code, so it gets linked into your executable, like void foo(void) {system("bar");} Commented Aug 23, 2022 at 8:40

1 Answer 1

Reset to default
2

If an executable is linked against a library, and the library is built correctly*, only called functions of the library are included in the final executable.

Since your program does not call system(), and no other function calls it, it is apparently not included.

The solution is to call system(), for example in an unused control branch.

*) A library commonly contains modules, which are compiled from translation units. Such a translation unit is commonly a source file. For example, if your libc were built with a module that includes both printf() and system(), the latter function would be in the executable, even if it only calls printf().

Common linkers only include modules that resolve references that are unresolved at that step.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

I was going through the tutorial here: youtu.be/Gu_JGaWpcn4?t=438 from IIT Madras and also the tutorial here: ired.team/offensive-security/code-injection-process-injection/… Each of them uses simple programs which does not call system on its own. But still when they open GDB and give the command print system the address of print shows the address of system. The same program on a similar system (Lubuntu 22.04 and GCC 11.2.0) I am unable to locate system.
Intuitively I too had the idea that unless a function gets used it is not linked. (I guess I read in the book : C- Complete Reference by Herbert Schildt). But the way they were doing it in the above two tutorials I thought that I might have been wrong... (especially since the book has negative reviews...)
@AbhishekGhosh that may be the case on that particular environnment where system gets linked into your final executable for some reason. You might ask the people that made the tutorial for more details. In the meantime try what has been suggested here.
@AbhishekGhosh BTW, all those tutorials that show how to exploit security breaches often don't not work anymore, because your environnement is different from that the authors had when they write the article/tutorial. DIfferent OS, deifferent version of the compiler, different compiler alltogether etc., etc.
@AbhishekGhosh Looking at the video at 09:20, when the instructor runs info proc map, it turns out that the executable has linked libc dynamically.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.