Hey everyone...

*Please flame me if this is inapropriate (im just trying to learn).
*Or if I tottaly don't get it... Wich is possible.

Im currently working on an overflow exploit on my fedora 4 box...
Now i know about the stack and malloc() heap being non-exec...
So im trying to ret to libc. Correct?

Anyways heres where it gets hairy...
Im trying to export /bin/sh string to an environment variable. (don't judge yet!)

$ export BINSH="/bin/sh"

Now to retrive the address of this variable im using getenv() of course.
Heres the source.. its from Jon Erikson's "The Art of Exploitation"

#include <stdlib.h>

int main(int argc, char *argv[])
{
char *addr;
if(argc < 2)
{
printf("Usage:\n%s <environment variable name>\n", argv[0]);
exit(0);
}
addr = getenv(argv[1]);
if(addr == NULL)
printf("The environment variable %s doesn't exist.\n", argv[1]);
else
printf("%x is located at %p\n", argv[1], addr);
return 0;
}

Now iv'e compiled it and ran it like the following:

$ ./gtenv BINSH
bfeada13 is located at 0xbfeade91

Now... Shoudn't this read:
BINSH is located at 0xbfeade91

Whats happening?
The so called "variable" also changes name and address. Why?

$ ./gtenv BINSH
bfbb7a13 is located at 0xbfbb7e91
$ ./gtenv BINSH
bff97a13 is located at 0xbff97e91

Does it have anything to do with the exec-shield feature?
Is there another way to store this in memory?
Or am i tottaly stupid?

Im eventually going to need to export a path to a "wrapper" so i need to figure this out.

Well thats it...
Give the newb a hand.

At first, replace %x by %s in your printf. %x expects an int, you're giving it a pointer.

I punt wrt the rest.

hth --Jonas

Thx bud... that did it for variable's name...
Its a wonder why i didn't notice that myself.

Now is the pointer suppose to change like this:

# ./gtenv BINSH
BINSH is located at 0xbfb11f17
# ./gtenv BINSH
BINSH is located at 0xbf9a7f17
# ./gtenv BINSH
BINSH is located at 0xbfe81f17

If so... why is this?
And how can i use this as an argument if it changes all the time?