Get the environment variable address

Question

I have ASLR disabled. Well, I want obtain the address of the environment variable "SHELL", so I use the C function getenv().

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
    char* ptr = getenv("SHELL");
    printf("%p\n", ptr);
}

The address obtained with getenv()

$ ./getenv
0xbffff752

The address obtained with gdb:

gdb> x/4000s $esp
...
(gdb) x/s 0xbffff710
0xbffff710:     "SHELL=/bin/bash"
(gdb) x/s 0xbffff716
0xbffff716:     "/bin/bash"

Why are the addresses different? As noted, I must say the correct address in the obtained with GDB.

Answer 1

Why the addresses are different?

Because one is run under gdb and one isn't. Running under a different environment results in a different environment. Literally.

What's the output of the printf() statement when running under gdb?

As note, I must say the correct address in the obtained with gdb.

What information is that statement based on?

Answer 2

The trouble is that your list of environment variables can differ when running under gdb and without it. And that is enough to cause the shift in address.

Somewhat shortened listing... (your program)

$ gdb ./a.out
(gdb) r
Starting program: /home/mfranc/a.out 
0x7fffffffdd37
(gdb) r
Starting program: /home/mfranc/a.out 
0x7fffffffdd37
(gdb) set environment a="hello world"
(gdb) r
Starting program: /home/mfranc/a.out 
0x7fffffffdd27
(gdb) r
Starting program: /home/mfranc/a.out 
0x7fffffffdd27
(gdb) unset environment a
(gdb) r
Starting program: /home/mfranc/a.out 
0x7fffffffdd37
(gdb) 

Generally you should debug in the original environment and attach to the process via gdb -p $PID. If you spawn process in a slightly different way and the environment will differ slightly you might see different addresses.