0

for an university project I have to perform Buffer Overflow with some programs given by the professor.

I want to setup my shellcode environment variable with python and I do that with:

import os
os.environ("EGG") = "..."
os.system('bash')

so now python spawns a child bash process. But now how can I print the address of EGG? I have done this with C:

#include <stdlib.h>
#include <stdio.h>

int main(){
    printf("%x", getenv("EGG"));
    return 0;
}

but I want to do it with Python. Anyone can help?

styvane
  • 59,869
  • 19
  • 150
  • 156
Davide Cremona
  • 121
  • 1
  • 11
  • http://stackoverflow.com/questions/4906977/how-to-access-environment-variables-from-python – nikli May 11 '16 at 09:23
  • What would you do with this address? Are you aware that each process has its own address space and its own copy of the environment? – interjay May 11 '16 at 09:26
  • @interjay: once I print the address, I can launch (remaining in the child bash process spawned by Python) the vulnerable program overwriting the return address with the one of my environment variable to execute the shellcode – Davide Cremona May 11 '16 at 09:29
  • Though shellcode is probably going to use some implementation specified or undefined behaviour anyway it might be pointless to point out that `printf("%x", getenv("EGG"))` is undefined behaviour: `"%x"` expects an `unsigned int` argument, but you gave it `char *`. The correct format specifier and call would be `printf("%p", (void *)getenv("EGG"))`. – Ilja Everilä May 11 '16 at 09:41
  • @D.C. The address of the environment variable in the child bash process won't be the same as the address in the Python process. – interjay May 11 '16 at 10:06
  • @interjay at the end I have used gdb to get the address of my environment variable, without using Python or C – Davide Cremona May 11 '16 at 11:36

1 Answers1

0

You can use id() https://docs.python.org/2/library/functions.html#id

id(os.environ.get('EGG')

in hex:

hex(id(os.environ.get('EGG'))
Yaron
  • 10,166
  • 9
  • 45
  • 65
  • I have tried this but the C program and the Python one gives to me different results... – Davide Cremona May 11 '16 at 09:34
  • 1
    That would be the id (address in CPython) of the python string corresponding the env variable of the python process. A very different thing from the environment of the child process and a c-string. – Ilja Everilä May 11 '16 at 09:34