C Exploit using Environment Variable in execve

Question

In C programming language, for execve:

int execve(const char *filename, char *const argv[],
                  char *const envp[]);

How can we use envp for exploiting?

Secondly, when passing values through envp, do we need to terminate it with a NULL?

Lastly, where is envp placed on stack?

Thanks in advance!

Answer 1

When using system(), the program will use a shell to execute the command. So system() is vulnerable to command injection. Something like inserting

MY_ENV_VAR=`touch /tmp/test`

execve() on the other hand, doesn't use a shell. So you can't use envp to execute commands.

See also https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177.

Answer 2

This example could help you understand the usage of execve() argv and envp

$ cat a.sh

#!/bin/sh
echo "value of PWDIR is $PWDIR"
echo "first arg = $1"
echo "second arg = $2"
printenv

/* execve.c */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
    char *newargv[] = { NULL, "hello", "world", NULL };
    char *newenviron[] = {"PWDIR=/home/root" };

    if (argc != 2) {
        fprintf(stderr, "Usage: %s <file-to-exec>\n", argv[0]);
        exit(EXIT_FAILURE);
    }

    newargv[0] = argv[1];

    execve(argv[1], newargv, newenviron);
    perror("execve");   /* execve() only returns on error */
    exit(EXIT_FAILURE);
}

Compiling the code

$ cc execve.c -o execve

Executing the code and output as follows

$ ./execve a.sh
value of PWDIR is /home/root
first arg = hello
second arg = world
PWDIR=/home/root
PWD=/home/arul/work/images/samples

Environment variable passed in execve is used in the shell script. Also note when script is executed, separate shell will be spawned here.

Answer 3

Shellcode on Linux tends to use syscalls to exec. Are you perhaps thinking of ret2libc? Your question is mixing c code and shellcode and its not clear what you are asking.