Finding environment variables with gdb, to exploit a buffer overflow
environ
is a pointer to pointer, as it has the type char **environ
.
You have to try something like:
(gdb) x/s *((char **)environ)
0xbffff688: "SSH_AGENT_PID=2107"
(gdb) x/s *((char **)environ+1)
0xbffff69b: "SHELL=/bin/bash"
- Environment variables are 16 bytes from the base pointer (%ebp).
- Put a break point in the main function and do this,
(gdb) x/wx $ebp+0x10
0xffffd3f8: 0xffffd48c
(gdb) x/wx 0xffffd48c
0xffffd48c: 0xffffd67e
(gdb) x/s 0xffffd67e
0xffffd67e: "XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0"
(gdb) (gdb) x/wx 0xffffd48c+4
0xffffd490: 0xffffd6b2
(gdb) x/s 0xffffd6b2
0xffffd6b2: "XDG_CONFIG_DIRS=/etc/xdg/lubuntu:/etc/xdg/xdg-Lubuntu:/usr/share/upstart/xdg:/etc/xdg"
Refer this blog
if you have peda installed for gdb, then you could simply type this in gdb:
gdb-peda$ searchmem SHELL
The output would show
Searching for 'SHELL' in: None ranges
Found 1 results, display max 1 items:
[stack] : 0xbffff540 ("SHELL=/bin/bash")