Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-01-2005, 08:21 PM   #1
LQ Newbie
Registered: Sep 2005
Posts: 2

Rep: Reputation: 0
Getting the environment address? (Fedora Core 4)

Hey everyone...

*Please flame me if this is inapropriate (im just trying to learn).
*Or if I tottaly don't get it... Wich is possible.

Im currently working on an overflow exploit on my fedora 4 box...
Now i know about the stack and malloc() heap being non-exec...
So im trying to ret to libc. Correct?

Anyways heres where it gets hairy...
Im trying to export /bin/sh string to an environment variable. (don't judge yet!)

$ export BINSH="/bin/sh"

Now to retrive the address of this variable im using getenv() of course.
Heres the source.. its from Jon Erikson's "The Art of Exploitation"

#include <stdlib.h>

int main(int argc, char *argv[])
char *addr;
if(argc < 2)
printf("Usage:\n%s <environment variable name>\n", argv[0]);
addr = getenv(argv[1]);
if(addr == NULL)
printf("The environment variable %s doesn't exist.\n", argv[1]);
printf("%x is located at %p\n", argv[1], addr);
return 0;

Now iv'e compiled it and ran it like the following:

$ ./gtenv BINSH
bfeada13 is located at 0xbfeade91

Now... Shoudn't this read:
BINSH is located at 0xbfeade91

Whats happening?
The so called "variable" also changes name and address. Why?

$ ./gtenv BINSH
bfbb7a13 is located at 0xbfbb7e91
$ ./gtenv BINSH
bff97a13 is located at 0xbff97e91

Does it have anything to do with the exec-shield feature?
Is there another way to store this in memory?
Or am i tottaly stupid?

Im eventually going to need to export a path to a "wrapper" so i need to figure this out.

Well thats it...
Give the newb a hand.

Last edited by ComPort; 11-01-2005 at 08:43 PM.
Old 11-01-2005, 09:14 PM   #2
Senior Member
Registered: Jul 2004
Location: Denmark
Distribution: Ubuntu, Debian
Posts: 1,524

Rep: Reputation: 47
At first, replace %x by %s in your printf. %x expects an int, you're giving it a pointer.

I punt wrt the rest.

hth --Jonas
Old 11-01-2005, 09:32 PM   #3
LQ Newbie
Registered: Sep 2005
Posts: 2

Original Poster
Rep: Reputation: 0
Thx bud... that did it for variable's name...
Its a wonder why i didn't notice that myself.

Now is the pointer suppose to change like this:

# ./gtenv BINSH
BINSH is located at 0xbfb11f17
# ./gtenv BINSH
BINSH is located at 0xbf9a7f17
# ./gtenv BINSH
BINSH is located at 0xbfe81f17

If so... why is this?
And how can i use this as an argument if it changes all the time?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LAN address in an environment variable somewhere? bcfriesen Linux - Networking 1 11-02-2005 02:40 PM
Fedora Core 2/BCM4309 - scan works but no IP address... webqs Linux - Wireless Networking 3 12-11-2004 08:47 PM
Install Java development environment on Fedora Core 2 WesleyVH Linux - Software 2 10-13-2004 09:50 AM
is there a easy program for forwarding the ip address for Fedora Core 2? krt47 Linux - Networking 1 08-02-2004 12:47 PM
unable to obtain ip address from dhcp server (Fedora Core 1) zero79 Linux - Hardware 5 11-15-2003 01:42 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration