LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-01-2005, 09:21 PM   #1
ComPort
LQ Newbie
 
Registered: Sep 2005
Posts: 2

Rep: Reputation: 0
Getting the environment address? (Fedora Core 4)


Hey everyone...

*Please flame me if this is inapropriate (im just trying to learn).
*Or if I tottaly don't get it... Wich is possible.

Im currently working on an overflow exploit on my fedora 4 box...
Now i know about the stack and malloc() heap being non-exec...
So im trying to ret to libc. Correct?

Anyways heres where it gets hairy...
Im trying to export /bin/sh string to an environment variable. (don't judge yet!)

$ export BINSH="/bin/sh"

Now to retrive the address of this variable im using getenv() of course.
Heres the source.. its from Jon Erikson's "The Art of Exploitation"

#include <stdlib.h>

int main(int argc, char *argv[])
{
char *addr;
if(argc < 2)
{
printf("Usage:\n%s <environment variable name>\n", argv[0]);
exit(0);
}
addr = getenv(argv[1]);
if(addr == NULL)
printf("The environment variable %s doesn't exist.\n", argv[1]);
else
printf("%x is located at %p\n", argv[1], addr);
return 0;
}

Now iv'e compiled it and ran it like the following:

$ ./gtenv BINSH
bfeada13 is located at 0xbfeade91

Now... Shoudn't this read:
BINSH is located at 0xbfeade91

Whats happening?
The so called "variable" also changes name and address. Why?

$ ./gtenv BINSH
bfbb7a13 is located at 0xbfbb7e91
$ ./gtenv BINSH
bff97a13 is located at 0xbff97e91

Does it have anything to do with the exec-shield feature?
Is there another way to store this in memory?
Or am i tottaly stupid?

Im eventually going to need to export a path to a "wrapper" so i need to figure this out.

Well thats it...
Give the newb a hand.

Last edited by ComPort; 11-01-2005 at 09:43 PM.
 
Old 11-01-2005, 10:14 PM   #2
jonaskoelker
Senior Member
 
Registered: Jul 2004
Location: Denmark
Distribution: Ubuntu, Debian
Posts: 1,524

Rep: Reputation: 46
At first, replace %x by %s in your printf. %x expects an int, you're giving it a pointer.

I punt wrt the rest.

hth --Jonas
 
Old 11-01-2005, 10:32 PM   #3
ComPort
LQ Newbie
 
Registered: Sep 2005
Posts: 2

Original Poster
Rep: Reputation: 0
Thx bud... that did it for variable's name...
Its a wonder why i didn't notice that myself.

Now is the pointer suppose to change like this:

# ./gtenv BINSH
BINSH is located at 0xbfb11f17
# ./gtenv BINSH
BINSH is located at 0xbf9a7f17
# ./gtenv BINSH
BINSH is located at 0xbfe81f17

If so... why is this?
And how can i use this as an argument if it changes all the time?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LAN address in an environment variable somewhere? bcfriesen Linux - Networking 1 11-02-2005 03:40 PM
Fedora Core 2/BCM4309 - scan works but no IP address... webqs Linux - Wireless Networking 3 12-11-2004 09:47 PM
Install Java development environment on Fedora Core 2 WesleyVH Linux - Software 2 10-13-2004 10:50 AM
is there a easy program for forwarding the ip address for Fedora Core 2? krt47 Linux - Networking 1 08-02-2004 01:47 PM
unable to obtain ip address from dhcp server (Fedora Core 1) zero79 Linux - Hardware 5 11-15-2003 02:42 PM


All times are GMT -5. The time now is 11:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration