1

I am trying to do a return-to-libc attack. The problem is that I need the address of an environment variable at the stack for the argument of an gadget. I tried the following code with python. But it seems that it gives an offset or something else ? Not sure about that. 

r=process('/rop_level', env={'MYENV': 'cat /flag'})
os.environ.get('MYENV')
h = os.environ.get('MYENV')
hex(id(h))

The result it gives is 0x9d4380. I kinda need an address at stack like 0x7ffe.....

The CTF challenge is located in a container which requires ssh so I may not be able to use gdb.

Gan Sama
  • 49
  • 1
  • 3

1 Answers1

0

As you already know, the environment variables are on the stack. So you need to leak the stack address through some way. And you should calculate the offset between leaked stack address and the environment variable by local debugging. then you calculate the environment variable's address.

wxk1997
  • 131
  • 1
  • 6