I am reading a book called "Hacking: The art of exploitation" and I came across this paragraph:
With execl(), the existing environment is used, but if you use execle(),
the entire environment can be specified. If the environment array is just the
shellcode as the first string (with a NULL pointer to terminate the list), the
only environment variable will be the shellcode. This makes its address easy
to calculate. In Linux, the address will be 0xbffffffa, minus the length of the
shellcode in the environment, minus the length of the name of the executed
program. Since this address will be exact, there is no need for a NOP sled.
What do they mean by specifying the environment?
What classifies different environments?
Why is the address of the environment variable calculated that way (or more specifically why is the base address 0xbffffffa)?
If I used the execl() function instead of the execle() could I not have used the shellcode environment variable?
What do they mean by specifying the environment?
The last argument passed to execle()
is an array of char pointers, which contain C strings describing the environment variables the executed program will see. Here is an example.
What classifies different environments?
I don't quite get this one. Each program has its own set of environment variables, that's it.
Why is the address of the environment variable calculated that way (or more specifically why is the base address 0xbffffffa)?
Because the Linux kernel is implemented like so.
If I used the execl()
function instead of the execle()
could I not have used the shellcode environment variable?
execl()
does not let you specify environment variables, if that's what you're interested in.
int execle(const char *path, const char *arg0, ...
/* const char *argn, (char *)0,char *const envp[]*/);
The envp[] array is a pointer to all of the UNIX environment variables for the process to be created. That defines the "environment" for the new process.