I am using bash. I have switched off ASLR in Ubuntu 11.04 using
#sysctl -w kernel.randomize_va_space=0
And I have exported a variable from the shell using
$ export MYSHELL=/bin/sh
I wrote a C program to get the address of the MYSHELL
:
void main(){
char* shell = getenv("MYSHELL");
if (shell)
printf("0x%x\n", (unsigned int)shell);
}
It spat out 0xbffffe82
. When I used it as a part of my attack for ret-to-libc, the address changes (although by a very small offset). Why does this happen?
Also when I change the filename of the binary and use the previously successful address, it won't work, and it has been relocated to a different address. Why? In other words, What is the relation of binary names and environment variable addresses? Is this a protection feature by bash? How do I switch this off?
Note: this is not homework.
Stack layout at program startup is documented here . It should be obvious why changing the name of the program (length really) changes the layout.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.