Finding environment variables with gdb, to exploit a buffer overflow

environ is a pointer to pointer, as it has the type char **environ.

You have to try something like:

(gdb) x/s *((char **)environ)
0xbffff688:      "SSH_AGENT_PID=2107"
(gdb) x/s *((char **)environ+1)
0xbffff69b:      "SHELL=/bin/bash"

  • Environment variables are 16 bytes from the base pointer (%ebp).
  • Put a break point in the main function and do this,

(gdb) x/wx $ebp+0x10
0xffffd3f8: 0xffffd48c
(gdb) x/wx 0xffffd48c
0xffffd48c: 0xffffd67e
(gdb) x/s 0xffffd67e
0xffffd67e: "XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0"
(gdb) (gdb) x/wx 0xffffd48c+4
0xffffd490: 0xffffd6b2
(gdb) x/s 0xffffd6b2
0xffffd6b2: "XDG_CONFIG_DIRS=/etc/xdg/lubuntu:/etc/xdg/xdg-Lubuntu:/usr/share/upstart/xdg:/etc/xdg"

Refer this blog


if you have peda installed for gdb, then you could simply type this in gdb:

gdb-peda$ searchmem SHELL

The output would show

Searching for 'SHELL' in: None ranges
Found 1 results, display max 1 items:
[stack] : 0xbffff540 ("SHELL=/bin/bash")