Clever Geek Handbook

Getting the address of an environment variable

I have an environment variable and I am trying to get its memory address. I have

memset(&buffer, 0x90, 517);
memcpy(&buffer[517-strlen(shellcode)],shellcode,strlen(shellcode));
setenv("EGG",buffer,1);
putenv(buffer);
printf("EGG address: 0x%1x\n", getenv("EGG"));
system("bash");

The selected memory address was 0x804b00c

. It didn't look right. I tested it with GDB x / x 0x804b00c

. He said he could not access memory in the 0x804b00c

. So it getenv

basically gives me the garbage memory. I called env

to make sure the variable was set EGG

and it was.

Why can't I get the memory address EGG

?

+3


source to share


2 answers


Thanks for this question, another learning opportunity!

Redesigned the code as follows:

    #include <stdio.h>
    #include <stdlib.h>

    void main()
    {
      const char shellcode[] = "EGG=whatever";

      putenv(shellcode);

      printf("EGG address @%08X\n", getenv("EGG"));

      printf("EGG value is <%s>.", getenv("EGG"));

    }


This code works in the Eclipse / Microsoft C compiler environment. Please note, I didn't need to call setenv or bash or issue a system command. This example sets the environment variable EGG for the process.

Also note the difference between the EGG address and its actual value. In the first case, getenv returns a char *

, which is a pointer to the store as defined %08X

by the printf part of the statement, and %s

essentially overrides the char pointer returned by getenv. Also, getenv () is found via the operator #include <stdlib.h>

.

+2


source


Provisional answer: you have few Endian equipment. Thus, words (4 bytes, word-aligned) are stored with half-words and bytes at half-words, SWAPPED. 0x0804b00c is most likely 0x0cb04b80.



Let's try to write our own c code to do what you want and post a second note.

+1


source






More articles:


All Articles