Argument and
environment strings tend to shift far less in memory each time a program
executes, since they lie deeper in the stack than any padding bytes.
Dealing with Sanitized Arguments and Environment Strings
Because command-line arguments and environment strings are commonly used to
store shellcode for local exploits, some programs take action to sanitize both. This can
be done in a variety of ways, from checking for ASCII-only values to erasing the
Gray Hat Hacking: The Ethical Hacker??™s Handbook
470
Chapter 18: From Vulnerability to Exploit
471
PART IV
environment completely or building a custom environment from scratch. One lastditch
possibility for getting shellcode onto the stack in a reliable location is within the
executable pathname stored near the very bottom of the stack. Two things make this
option very attractive. First, this string is not considered part of the environment, so
there is no pointer to it in the envp array. Programmers who do not realize this may forget
to sanitize this particular string. Second, on systems without randomized stacks, the
location of this string can be computed very precisely. The start of this string lies at:
MAX_STACK_ADDRESS ??“ (strlen(executable_path) + 1) - 4
where MAX_STACK_ADDRESS represents the bottom of the stack (often 0xC0000000
on Linux systems), and you subtract 4 for the null bytes at the very bottom and
(strlen(executable_path) + 1) for the length of the ASCII path and its associated null
terminator.
Pages:
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825