CODEWITHSUNDEEP
cgdbstatic-linkinglibc
Abhishek Ghosh
Abhishek Ghosh

Reputation: 665

The libc function "system" does not get linked in the executable produced by GCC even after using the static flag

I am new to systems programming. I was just trying to implement the ret2libc attack on my own. To implement that, I need the address of the start of the libc function "system" in the executable.

I tried to do static linking, but to my surprise, the "system" function is not getting linked in my executable.

Below is a simple program saved as t.c:

#include <stdio.h>
#include <stdlib.h>
int fun()
{
    int x;
}int main()
{
    fun();
    int x;
    x=10;
    printf("%d\n",x);
    return 0;
}

Below is the output which I get when using GDB:

abhishek@abhishek:~$ gcc -g -static t.c -o t
abhishek@abhishek:~$ gdb -q t
Reading symbols from t...
(gdb) print system
No symbol "system" in current context.
(gdb) print memcpy
$1 = {<text gnu-indirect-function variable, no debug info>} 0x422b40 <memcpy>
(gdb) print strcmp
$2 = {<text gnu-indirect-function variable, no debug info>} 0x421b50 <strcmp_ifunc>
(gdb) print printf
$3 = {<text variable, no debug info>} 0x40b5b0 <printf>
(gdb) quit
abhishek@abhishek:~$

libc functions like memcpy, strcmp and even printf is getting linked. But not the function system. The tutorials out on the internet just asks to get the address of system and then proceed accordingly. But I am unable to get the address of system in the first place.

Could anyone help me why the function system is not linked even when I am using the -static flag in GCC?

Upvotes: 0

Views: 396

Answers (1)

the busybee
the busybee

Reputation: 12600

If an executable is linked against a library, and the library is built correctly*, only called functions of the library are included in the final executable.

Since your program does not call system(), and no other function calls it, it is apparently not included.

The solution is to call system(), for example in an unused control branch.

*) A library commonly contains modules, which are compiled from translation units. Such a translation unit is commonly a source file. For example, if your libc were built with a module that includes both printf() and system(), the latter function would be in the executable, even if it only calls printf().

Common linkers only include modules that resolve references that are unresolved at that step.

Upvotes: 2

Related Questions