Recently I’m doing some Return-to-libc attack experiment base on the paper Bypassing non-executable-stack during exploitation using return-to-libc with my Ubuntu11.10.
Before my experiment I closed the ALSR.
According to the paper, I can find address of the environment variable SHELL=”/bin/bash” in gdb(use gdb to debug the program I want to attack):
But I found that this address is wrong when I try to use it to Return-to-libc experiment.
And then I write a simple program to get the environment variable address:
When I run this program in the Terminal, I get the right address:
With this address I can do the attack.
I also find the related question about this. But the answers doesn’t really make sense(the second one may be better).
Just tell me some details about this, please.
From your screenshots, I’ll assume you’re running on an 32-bit intel platform. I haven’t spent the time to fully research an answer to this, but these are points worth noting:
x/100s **(char***)&environ).0xBffff47A, you’re very close to the top of user address space (which ends at0xC0000000).So, my guess is that what’s going on here is that:
_=/usr/bin/gdb” when running under GDB, and I’ll just bet that’s only there when running under GDB.The result is that, while your fixed pointer tends to land somewhere in the middle of the environment block, it doesn’t land in the same place every time, since the environment itself is changing between runs.