1

I'm trying to find the address of system() in a code repo that I'm trying to exploit using Return Oriented Programming (for a course project). The code has included stdlib.h but it has not used system() anywhere.

I was under the impression that all the functions in stdlib.h would be in the same address space as the executable (that I'm trying to exploit) whether or not they were explicitly used. gdb gives me this error:

(gdb) print 'system@plt'
No symbol "system@plt" in current context.

Similarly, execve() is not in context either:

(gdb) print 'execve@plt'
No symbol "execve@plt" in current context.

Does this mean that the code is immune to ROP? I don't know of any other function that can be used to spawn a shell.

Nikhil
  • 13
  • 1
  • 4
  • Also, because I wasn't well-versed with `plt`; I found this very good article: https://reverseengineering.stackexchange.com/questions/1992/what-is-plt-got – Nikhil Oct 07 '18 at 15:23
  • Oops, wrong link above. Correct link: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html – Nikhil Oct 07 '18 at 16:09

1 Answers1

2

Using print 'system@plt' is only valid if the program already has an existing function (called or not) that directly references system(). In your example that's not the case.

First, disable library randomization if you haven't done so ulimit -s unlimited

In GDB

  1. Set a breakpoint at main

  2. Run the program.

  3. print system

That gives you the address for system()

From there run the exploit like you were trying.

Also, instead of posting here, you may want to ask a TA or your professor. If you're confused, it's likely other students are too.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24
  • 1
    That worked. Thanks. The stuff I'm trying to do is not yet taught in class and it's Sunday, and I really wanted to get things going, so. – Nikhil Oct 07 '18 at 15:19