Why is my setenv() call not working?

Question

I wrote the following C code to set the env variable to \x09. But when I use echo $EGG | hexdump, I see that it sets it to 00. This problem happens only when the first nibble is zero. Any clue what is wrong?

char shellcode[] = "\x09";

main() {
    setenv("EGG", shellcode, 1);
    system("/bin/bash");

    return 0;
}

You should terminate the string (char shellcode[]) with the 0 (NULL) character. — user1284631, Dec 17 '12 at 11:02
@axeoth String literals are always terminated, except when used to inialize an array of the non-terminated length. — unwind, Dec 17 '12 at 11:04
@unwind: mea culpa, you are right. I saw a literal character (between aprostrophes). I was wrong. — user1284631, Dec 17 '12 at 11:05
Do a `set | grep EGG` (before leaving the shell) and you'll see it worked. — alk, Dec 17 '12 at 11:11

Dmytro Sirenko · Answer 1 · 2012-12-17T11:32:56.027

4

The problem is that characters 0x08, 0x09, 0x0a, 0x0b, 0x0c ... are considered whitespace characters and are stripped from a variable value. If you try to set 0x01, it'll be visible in the shell.

P.S. It looks like the variable is set to \x09 but is not echoed by the shell: Indeed:

prev_sh_$ ./so2 
$ export IFS=" \n"
$ echo $EGG | hexdump
0000000 0a09                                   
0000002

0x0a (\n) is added by the shell to print the value on the next line.

edited Dec 17 '12 at 11:32

answered Dec 17 '12 at 11:10

Dmytro Sirenko

5,003
21
26

Can you show documentation about this behavior? I cannot seem to find it – Veger Dec 17 '12 at 11:24
1

@Veger See: `man bash` (section `Word Splitting`); The env/ var/ `IFS` can be used to change this behaviour (for `bash` at least). Anyway, the man page states that only the characters set by `IFS` are swollowed away. – alk Dec 17 '12 at 11:25
Ah... it is actually properly set, but striped the shell. I was looking at the `setenv()` documentation which did not mention anything about disallowed characters. – Veger Dec 17 '12 at 11:28
The problem is that then I then try to yield $EGG as an argument to another program and the problem still holds. For instance, if I use ./prog $EGG, when I debug it, in argv[1], 0x09 is replaced by 00, even if IFS is set as described above. – Afshin Dec 17 '12 at 13:10
Rather than modify `IFS`, just quote the value of `$EGG`: `echo "$EGG" | hexdump` – chepner Dec 17 '12 at 16:39
thanks chepner, I was giving a big hex string to my prog, and forgot that some of those machine instructions can be in fact the ascii equivalent of space or tab. Thanks for your solution. – Afshin Dec 17 '12 at 18:09

score 2 · Answer 2 · answered Dec 17 '12 at 11:08

2

Well, your code works correctly ;)

0x09 is the ASCII code tab key.

So EGG is set to tab key. When you print it, it actually prints tab which you don't normally recognize in the console.

answered Dec 17 '12 at 11:08

P.P

117,907
20
175
238

1

The OP is piping the echo output to `hexdump`, so the tab should be visible? – Veger Dec 17 '12 at 11:11
@Veger Earl answered that I guess. – P.P Dec 17 '12 at 11:21

Why is my setenv() call not working?

2 Answers2