I have a program.
The program uses a selection of stdlib functions, not including system.
I cannot modify this program in any way.
My stack is non executable; and was compiled with a canary.

I would like to utilize a return to glibc attack to circumvent these limitations. Normally I would utilize system@plt, but as that it was not compiled in, I cannot use it. There SHOULD be system present, however, the system I obtained by using print &system in gdb seems to function differently from the one I'm used to. What is this "new" system I've found, how does it work, and how can I get at the system stdlib function that I'm used to? Assume for this case that I have full control over modifying the stack starting at a buffer far lower than the set of return addresses/pushed ebp's that one would wish to modify for this exploit.

As an appendum; yes, this is a vulnerability exploitation technique, No, this is not in relation to anything illegal, this is an exercise for personal enrichment.

Thanks for any help;
Best,
-me

I'm not sure if that's against the rules here, to talk about hacking.

Yes, it's possible to hack legally. The problem is we won't be able to tell.

And the page will be indexed by Google, so we can potentially be helping someone with malicious intentions.

I'm not sure if that's against the rules here, to talk about hacking.

Yes, it's possible to hack legally. The problem is we won't be able to tell.

And the page will be indexed by Google, so we can potentially be helping someone with malicious intentions.

:P This problem is such a textbook problem, I'm not sure it would ever be seen in the wild, actually, at least not in such a straightforward fasion (seriously, full access to selective read/write of the stack?). And I was able to solve it, actually, quite late last night; it turns out my argument placement in reference to %esp was just a bit wonky, both due to the gdb/realworld offset, and in reference to how system takes it's arguments. There's a method that utilizes the environment variable SHELL, but I wasn't able to figure out the address via gdb of the various env strings; so I just wrote /bin/sh\x00 into the buffer.

That all being said; there are already hundreds of websites created explicitely for the purpose of hacking help; making no effort to conceal malicious intent; that being said I'm pretty sure you guys are safe -.-.

Sorry Ninth, but this one is too close to the line and fits within the intentionally broad "other illegal activities" of rule #10 of the Guidelines & Rules' Ground Rules (http://www.overclockers.com/forums/announcement.php?f=78&a=65#rules).
Discussion of the unauthorized reproduction, distribution, copying, or theft of copyrighted materials is forbidden. This includes, but is not limited to discussion of the use of peer to peer (P2P) applications for the purpose of obtaining copyrighted material. Discussion of P2P programs and networks is not forbidden; but there is to be no connection (stated, implied, or otherwise) to obtaining copyrighted material, or other illegal activities. ABSOLUTELY no posting of Warez (Pirated Software) or links to Warez sites. Some topics may seem like grey areas, however moderators may close a thread that threatens to delve into such areas.
Thus, it cannot live. You might not be using it in relation to anything illegal, but if instructions are here for everyone to see, it can be used much easier for such purposes.

-hokie