stackoom
  简体   繁体   中英

Curious thing when finding environment variable address in gdb

 原文  2012-07-19 03:20:35       c/ linux/ debugging/ gdb

Question

Recently I'm doing some Return-to-libc attack experiment base on the paper Bypassing non-executable-stack during exploitation using return-to-libc with my Ubuntu11.10.

Before my experiment I closed the ALSR.

According to the paper, I can find address of the environment variable SHELL="/bin/bash" in gdb(use gdb to debug the program I want to attack):

在此输入图像描述
在此输入图像描述

But I found that this address is wrong when I try to use it to Return-to-libc experiment.

And then I write a simple program to get the environment variable address:

在此输入图像描述

When I run this program in the Terminal, I get the right address:

在此输入图像描述

With this address I can do the attack.

I also find the related question about this. But the answers doesn't really make sense(the second one may be better).

Just tell me some details about this, please.

1 answers

solution1
 4 ACCPTED  2012-07-19 03:54:51

From your screenshots, I'll assume you're running on an 32-bit intel platform. I haven't spent the time to fully research an answer to this, but these are points worth noting:

  1. I'll bet that your entire environment is in about the same place, and is packed together tightly as c-style strings. (try x/100s **(char***)&environ ).
  2. When I tried ths on my x86-64 installation, the only thing I saw after the environment was my command line, and some empty strings.
  3. At 0xBffff47A , you're very close to the top of user address space (which ends at 0xC0000000 ).

So, my guess is that what's going on here is that:

  1. The environment block and command line parameters are, at some point during startup, shoved in a packed form right at the end of user address space.
  2. The contents of your environment are different when you run your program in GDB or in the terminal. For example, I notice " _=/usr/bin/gdb " when running under GDB, and I'll just bet that's only there when running under GDB.

The result is that, while your fixed pointer tends to land somewhere in the middle of the environment block, it doesn't land in the same place every time, since the environment itself is changing between runs.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Finding address of a local variable in C with GDB Address of a variable does not matches in gdb Get the environment variable address Why does the address of a local variable vary when executing multiple times, but not when debugging it with GDB? finding which function caused “Address out of bounds” in gdb Curious trigraph sequence thing about ansi C curious thing happened in linux socket programming Get environment variable address with Python Different address when using print &var in gdb Memory address of variable does not match with “info frame” output of gdb
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM