问题
I am using bash. I have switched off ASLR in Ubuntu 11.04 using
#sysctl -w kernel.randomize_va_space=0
And I have exported a variable from the shell using
$ export MYSHELL=/bin/sh
I wrote a C program to get the address of the MYSHELL:
void main(){
char* shell = getenv("MYSHELL");
if (shell)
printf("0x%x\n", (unsigned int)shell);
}
It spat out 0xbffffe82.
When I used it as a part of my attack for ret-to-libc, the address changes (although by a very small offset).
Why does this happen?
Also when I change the filename of the binary and use the previously successful address, it won't work, and it has been relocated to a different address. Why? In other words, What is the relation of binary names and environment variable addresses? Is this a protection feature by bash? How do I switch this off?
Note: this is not homework.
回答1:
Stack layout at program startup is documented here. It should be obvious why changing the name of the program (length really) changes the layout.
来源:https://stackoverflow.com/questions/7781494/randomization-of-environment-variable-addresses