在gdb中查找环境变量地址时的奇怪之处

Question

Recently I'm doing some Return-to-libc attack experiment base on the paper Bypassing non-executable-stack during exploitation using return-to-libc with my Ubuntu11.10.

Before my experiment I closed the ALSR.

According to the paper, I can find address of the environment variable SHELL="/bin/bash" in gdb(use gdb to debug the program I want to attack):

But I found that this address is wrong when I try to use it to Return-to-libc experiment.

And then I write a simple program to get the environment variable address:

When I run this program in the Terminal, I get the right address:



With this address I can do the attack.

I also find the related question about this. But the answers doesn't really make sense(the second one may be better).

Just tell me some details about this, please.

Answer 1

From your screenshots, I'll assume you're running on an 32-bit intel platform. I haven't spent the time to fully research an answer to this, but these are points worth noting:

1. I'll bet that your entire environment is in about the same place, and is packed together tightly as c-style strings. (try x/100s **(char***)&environ ).
2. When I tried ths on my x86-64 installation, the only thing I saw after the environment was my command line, and some empty strings.
3. At 0xBffff47A , you're very close to the top of user address space (which ends at 0xC0000000 ).

So, my guess is that what's going on here is that:

1. The environment block and command line parameters are, at some point during startup, shoved in a packed form right at the end of user address space.
2. The contents of your environment are different when you run your program in GDB or in the terminal. For example, I notice " _=/usr/bin/gdb " when running under GDB, and I'll just bet that's only there when running under GDB.

The result is that, while your fixed pointer tends to land somewhere in the middle of the environment block, it doesn't land in the same place every time, since the environment itself is changing between runs.