Environment Variable - kkli08/Buffer-Overflow GitHub Wiki

The command ./vulnerable $EGG actually means running the vulnerable program with the contents of the EGG environment variable passed as an argument. It's important to differentiate between environment variables and command-line arguments:

Environment Variable (EGG):
- In exploit2.c, the EGG environment variable is created and set to contain the exploit payload. This environment variable exists within the environment of the process running the exploit2.c program and any child processes spawned from it, including the new bash shell started by system("/bin/bash");.
Command-Line Argument:
- When you execute ./vulnerable $EGG, the shell interprets $EGG as a request to substitute the value of the EGG environment variable.
- The shell replaces $EGG with its contents (the exploit payload) before the vulnerable program starts.
- The vulnerable program receives this substituted content as a command-line argument, not as an environment variable.

How It Works

In the Shell: When you type ./vulnerable $EGG, the shell expands $EGG to the value stored in the EGG environment variable before executing the vulnerable command. This expansion converts the command into something like ./vulnerable [contents_of_EGG].
In the vulnerable Program: The vulnerable program then receives the contents of EGG as its first command-line argument (argv[1]). It's not directly aware that this argument came from an environment variable; from the program's perspective, it's just a regular command-line argument.

Example

If the EGG environment variable contains the string "exploit_payload", then running ./vulnerable $EGG is effectively the same as running ./vulnerable exploit_payload.

Conclusion

To summarize, in the command ./vulnerable $EGG, EGG is used as an environment variable that is expanded by the shell into a command-line argument for the vulnerable program. The vulnerable program receives this expanded value as a regular argument, not as an environment variable.