I'm currently learning about stack-based buffer overflow exploitation using environment variables from 'The Art of Exploitation'. The point of the chapter is to use environment variable for the shellcode without need to create NOP sled. That requires the exact address of the variable I am going to use. Here's the fragment:
With
execl(), the existing environment is used, but if you useexecle(), the entire environment can be specified. If the environment array is just the shellcode as the first string (with aNULLpointer to terminate the list), the only environment variable will be the shellcode. This makes its address easy to calculate. In Linux, the address will be**0xbffffffa**, minus the length of the shellcode in the environment, minus the length of the name of the executed program.
The point is I'm using totally different version of system (Kali Linux 64-bit with 4.19 kernel) and in my case, the base address used by author (0xbffffffa) is very different and I have no idea where to look for it. Is there any method to find that or am I supposed to look somewhere in the documentation?
I assume that this address is somewhere in the base of the stack. Or is it the exact address of the stack base?
That looks like a 32-bit address for a 32-bit process under a 32-bit kernel, without stack ASLR. main gets 3 args: argc, argv, and envp, the last one being a pointer to the env[] array above RSP. Of course it's not going to be near RSP but below it, it would get stepped on by stack growth for function calls.
At the process entry point (_start), the x86-64 System V ABI specifies that the initial RSP points at argc, and above that is argv[0], argv[1], .... then the envp array (again NULL terminated).
This is documented in the x86-64 System V ABI.
The initial value for RSP is not fixed unless you disable stack ASLR.