Getting the environment address? (Fedora Core 4)
Hey everyone...
*Please flame me if this is inapropriate (im just trying to learn).
*Or if I tottaly don't get it... Wich is possible.
Im currently working on an overflow exploit on my fedora 4 box...
Now i know about the stack and malloc() heap being non-exec...
So im trying to ret to libc. Correct?
Anyways heres where it gets hairy...
Im trying to export /bin/sh string to an environment variable. (don't judge yet!)
$ export BINSH="/bin/sh"
Now to retrive the address of this variable im using getenv() of course.
Heres the source.. its from Jon Erikson's "The Art of Exploitation"
#include <stdlib.h>
int main(int argc, char *argv[])
{
char *addr;
if(argc < 2)
{
printf("Usage:\n%s <environment variable name>\n", argv[0]);
exit(0);
}
addr = getenv(argv[1]);
if(addr == NULL)
printf("The environment variable %s doesn't exist.\n", argv[1]);
else
printf("%x is located at %p\n", argv[1], addr);
return 0;
}
Now iv'e compiled it and ran it like the following:
$ ./gtenv BINSH
bfeada13 is located at 0xbfeade91
Now... Shoudn't this read:
BINSH is located at 0xbfeade91
Whats happening?
The so called "variable" also changes name and address. Why?
$ ./gtenv BINSH
bfbb7a13 is located at 0xbfbb7e91
$ ./gtenv BINSH
bff97a13 is located at 0xbff97e91
Does it have anything to do with the exec-shield feature?
Is there another way to store this in memory?
Or am i tottaly stupid?
Im eventually going to need to export a path to a "wrapper" so i need to figure this out.
Well thats it...
Give the newb a hand.
Last edited by ComPort; 11-01-2005 at 08:43 PM.
|